Doron Goldstein featured in the Wall Street Journal

21 September 2023 | Applicable law: US | 2 minute read

Doron Goldstein was featured in the Wall Street Journal article "Companies Remain Reluctant to Admit Paying Off Hackers."

Data Innovation, Privacy and Cybersecurity Partner Doron Goldstein discussed the Securities and Exchange Commission's (SEC) adoption of cyber incident reporting rules for publicly traded companies this past July. While companies may choose whether or not to pay hackers a ransom to restore business operations or avoid having any stolen data published, they often fail to disclose their decision. In a recent SEC filing, casino operator Caesars Entertainment avoided revealing whether they had paid a ransom to hackers this summer. Soon, however, companies will have to comply with the SEC's rules requiring them to report details of cyberattacks on their systems in 8-K filings. These rules come into effect in December, and other companies have already begun to comply by detailing attacks in their filings or other regulatory forms. 

Though the SEC isn't the only regulatory or governing body with rules around incident reporting, their rules are likely to be more comprehensive. "The materiality threshold in the SEC rules would in many cases include whether a company paid a ransom,"  Doron told the Wall Street Journal. "Payments stretching into millions of dollars might be material for some businesses," he said. “We’re going to see more reporting of things the public didn’t know was happening before,” he indicated. 

Increased cybersecurity measures and training have likely contributed to a reduction in the rate at which companies pay ransoms, but the average ransom payment has increased significantly. In some cases, paying a ransom may seem the obvious choice, assuming a company plans to avoid potentially injuring their reputation by  keeping it quiet. Cybersecurity professionals disagree on whether or not to encourage victims to pay a ransom, and the FBI suggests paying a ransom simply increases the frequency of attacks. Unfortunately, in industries such as healthcare, cyberattacks can pose a real risk to public health if computer systems containing critical information are pulled offline. 

You can read the full article here. Please note, a subscription may be required. 

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.


Join the club

We have lots more news and information that you'll find informative and useful. Let us know what you're interested in and we'll keep you up to date on the issues that matter to you.