Doron Goldstein featured in the Wall Street Journal
21 September 2023 | Applicable law: US | 2 minute read
Doron Goldstein was featured in the Wall Street Journal article "Companies Remain Reluctant to Admit Paying Off Hackers."
Data Innovation, Privacy and Cybersecurity Partner Doron Goldstein discussed the Securities and Exchange Commission's (SEC) adoption of cyber incident reporting rules for publicly traded companies this past July. While companies may choose whether or not to pay hackers a ransom to restore business operations or avoid having any stolen data published, they often fail to disclose their decision. In a recent SEC filing, casino operator Caesars Entertainment avoided revealing whether they had paid a ransom to hackers this summer. Soon, however, companies will have to comply with the SEC's rules requiring them to report details of cyberattacks on their systems in 8-K filings. These rules come into effect in December, and other companies have already begun to comply by detailing attacks in their filings or other regulatory forms.
Though the SEC isn't the only regulatory or governing body with rules around incident reporting, their rules are likely to be more comprehensive. "The materiality threshold in the SEC rules would in many cases include whether a company paid a ransom," Doron told the Wall Street Journal. "Payments stretching into millions of dollars might be material for some businesses," he said. “We’re going to see more reporting of things the public didn’t know was happening before,” he indicated.
Increased cybersecurity measures and training have likely contributed to a reduction in the rate at which companies pay ransoms, but the average ransom payment has increased significantly. In some cases, paying a ransom may seem the obvious choice, assuming a company plans to avoid potentially injuring their reputation by keeping it quiet. Cybersecurity professionals disagree on whether or not to encourage victims to pay a ransom, and the FBI suggests paying a ransom simply increases the frequency of attacks. Unfortunately, in industries such as healthcare, cyberattacks can pose a real risk to public health if computer systems containing critical information are pulled offline.
You can read the full article here. Please note, a subscription may be required.