Chapter 2. Shifting Legal and Liability Landscape
So now you understand why and how ransomware is harmful, and you’re acquainted with many of the cyberattack techniques that are used in ransomware attacks. It’s time to examine the legal and regulatory risk your organization faces when victimized by ransomware attacks. Despite being victims, enterprises are being fined and penalized for actions taken before, during, and after successful ransomware attacks.
Regulatory Actions
Today’s ransomware attacks don’t simply cause operational disruptions; they most often exfiltrate sensitive and regulated data. Not only could some of your company’s data become inaccessible, but it could also be disclosed publicly or sold to the highest bidder—regardless of how the actual attack is resolved.
An additional cause for concern is data privacy regulations. Although the specific regulations that apply to your organization depend on where in the world you operate, which industry you’re in, and the size of your company, at least some compliance issues need to be on your radar.
In July 2023, the US Securities and Exchange Commission (SEC) announced that it would adopt new rules that require SEC registrants to disclose the cybersecurity incidents they’ve experienced as well as their cybersecurity risk management, strategy, and governance strategies on an annual basis. The new rules took effect in December 2023 and apply to all publicly traded companies that operate in the United States.
Organizations ...
Get Ransomware and Data Extortion now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
