Ransomware Task Force calls for better incident reporting

Members from the Ransomware Task Force called for better incident reporting during a panel at RSA Conference 2022.

The RSA panel was titled "Progress in the Year of Ransomware: Analysis with the Ransomware Task Force" and featured four members of the task force: Phil Reiner, CEO of the Institute for Security and Technology (IST); Megan Stifel, IST chief strategy officer; Michael Phillips, chief claims officer at cyber insurer Resilience; and Michael Daniel, president and CEO of Cyber Threat Alliance.

The Ransomware Task Force is a public-private partnership formed last spring by the IST and dedicated to disrupting the threat of ransomware. The panel acted as a look at efforts made over the past year, as well as an opportunity to discuss progress that still needs to be made.

A key piece of the panel focused on incident reporting, which requires ransomware victims to notify the U.S. government after they've been struck by a cyber attack. The panelists discussed how difficult it is to get a complete picture of ransomware when public- and private-sector sources often have very different tallies when it comes time to present attack statistics each year.

"The FBI, through its IC3 reporting mechanism, came out with its ransomware reporting statistics, and it's extraordinarily low compared to what even a specialist cyber insurance company would see year in, year out," Phillips said. "So we still see this this data gap, whether it's per unit of government or institutions like insurance companies, which aggregate the victim's data and experience. We're all seeing very partial aspects of the picture, which makes the reporting requirements that we've been discussing so, so important."

In a report that launched alongside the task force, four recommendations were made to support victims. These included clarity from the U.S. Treasury in its ransom payment guidance, a recovery fund for organizations that refuse to pay the ransom, creating a ransomware attack reporting standard and requiring organizations to disclose ransomware payments to the government prior to paying.

Stifel said progress has been made on all four fronts, and while there is still a ways to go in some aspects (specifically establishing a ransomware reporting standard), early task force efforts are promising.

"Creating a standard format for enterprise reporting … will be some time, but we do have this requirement in legislation -- maybe some of us will be retired by the time it's placed," she said. "But it's there -- we have to start somewhere. And I think that's one of the key takeaways from this experience; you may not get everything you want, but you will get what you can get in small steps. Phil [Reiner], initially when we kicked off the taskforce, kept saying we need 10 10% solutions and we'll put a big dent in this, and I think we're beginning to see that take shape."

During the Q&A, an audience member who is part of a managed security service provider asked the panelists why a theoretical victim -- especially one who doesn't engage with a cyber insurer -- should report a ransomware attack when it's hard to see a clear immediate benefit from doing so.

Daniel explained that a benefit of having a dialogue with a government entity may provide additional clarity on whether paying the ransom would ultimately benefit the victim organization.

"There's a real question, actually, about whether or not paying a ransom actually pays off for you. For some companies, it will actually be [beneficial] from a microeconomic standpoint from their point of view," he said. "But it's not always necessarily the case, because a lot of the costs are involved in ransomware recovery, whether or not you actually paid the ransom."

Alexander Culafi is a writer, journalist and podcaster based in Boston.