Tag: ransomware

Categories
Blog

Aly McDevitt Week: Part 5 – Ransomware, Crisis Response, and the Compliance Imperative to Move Fast

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

McDevitt took a different but highly effective approach in this case study. Rather than centering the story on a single historical corporate scandal, she crafted an immersive fictional scenario grounded in real-life attacks, expert interviews, and public guidance. Compliance Week made clear that, while the company and its characters are imagined, the legal, operational, and compliance issues are very real. That makes this piece especially valuable for compliance professionals because it is less a postmortem of one company and more a practical field manual for the next crisis.

McDevitt’s story begins where many cyber incidents begin: with a person, not a machine.

A longtime employee, Betsy, receives an “urgent” email that appears to be from her boss. She clicks a malicious link, lands on a phony, internal-looking site, realizes too late that something is wrong, and then makes the mistake that turns a bad moment into a corporate crisis: she does not report it. Her silence gives the attacker time. Within days, the company, Vulnerable Electric (VE), a private utility serving 1.4 million customers with about 600 employees and $250 million in annual revenue, is facing a full-blown ransomware attack.

That is the first lesson, and McDevitt drives it home with precision. Ransomware is often described as a technology problem, but the first failure is frequently human, organizational, and cultural. Betsy clicked. But more importantly, she hesitated, feared blame, and kept quiet. As McDevitt explains through the expert commentary, her biggest mistake was not simply opening the link. It was actively deciding not to report the incident to the proper internal authority.

For compliance officers, that point should sound very familiar. Whether the issue is corruption, harassment, sanctions, safety, or cyber, organizations do not fail only because something bad happens. They fail because people do not feel safe reporting it quickly.

McDevitt also lays out why this issue matters so much now. She notes that ransomware payments in 2020 reached roughly $350 million, a more than 300 percent increase from the prior year, and that proactive prevention is no longer optional. She further situates the case study in the context of critical infrastructure, noting that entities such as utilities are subject to heightened scrutiny and are encouraged to align with the NIST cybersecurity framework. In other words, ransomware is not just an IT nuisance. It is an enterprise risk, a regulatory risk, and in some sectors a national security risk.

Once the attack is recognized, McDevitt shows the company doing something right: it moves into a structured response. The CEO activates the full cyber incident response team, or CIRT, and the war room includes not only technical leaders and legal counsel, but also the chief compliance officer, the head of communications, external incident response professionals, and other essential decision-makers. This is exactly what a mature response should look like. Cyber incidents do not fall under a single function. They are enterprise events.

I particularly appreciated how McDevitt uses the case study to underline the role of compliance. The CCO is not there as decoration. The article makes clear that if employee data has been exfiltrated, the incident constitutes a personal data disclosure with potentially local, state, and international notification consequences, and that compliance and legal personnel should be in the room from the start. That is a crucial point for corporate compliance professionals. Cyber risk management is not separate from compliance. It is now one of compliance’s core operating terrains.

McDevitt also captures the psychology of the first 36 hours. Anthony Ferrante says those hours are extremely stressful for a CEO, who is simultaneously thinking about operations, data, reputation, and people. That observation matters because it explains why preparation before an attack is so important. You do not want your executives inventing a process under duress. McDevitt reports that VE had already created an incident playbook with roles, escalation steps, and a five-part response framework: facts, business impact, root cause, corrective actions, and lessons learned. That is the kind of disciplined structure compliance leaders should insist upon.

Another strength of McDevitt’s reporting is her treatment of communications. Too many organizations still believe communications should be brought in late, after the lawyers and technologists finish their work. McDevitt, through multiple expert voices, makes the opposite case. Communications should have a seat at the table, not at the back wall. The reason is straightforward: stakeholders will forgive many things, but they will not forgive caginess. VE’s communications lead rightly argues that employees and customers should hear from the company first, not from the media or the attacker.

This point becomes even sharper when McDevitt contrasts VE’s approach with the real-life story of “Melvin,” an employee at another firm that remained offline for 10 days with no formal communication and did not disclose the sensitive data breach to employees in a timely or transparent way. That section may be the most important communications lesson in the entire piece. Employees are not bystanders. They are among the primary victims of a data breach, and they know when something is wrong. Silence destroys trust.

Then comes the hard question at the center of nearly every ransomware story: Do you pay?

McDevitt wisely resists easy moralizing. She notes the FBI’s official position is not to pay, because payment fuels the criminal business model and does not guarantee restoration. Yet she also reports the practical view of experienced practitioners: payment is not illegal per se, and companies often face a grim choice among bad options. The anonymous chief compliance officer quoted in the case study says it best: there are no good options, only the least bad option.

McDevitt’s two parallel paths, pay and do not pay, are particularly useful because they show that neither choice is clean. In Path A, VE pays $5 million, gets imperfect decryption support, recovers faster, but then faces scrutiny over whether it should have consulted OFAC before payment and whether it may have paid a sanctioned party. In Path B, VE does not pay, endures a longer recovery, suffers a data breach, and still faces reputational and legal fallout. McDevitt’s point is not that one route is right and one is wrong. Her point is that ransomware decision-making is governance under pressure.

That is why the postmortem matters so much. McDevitt closes the case study by emphasizing that the long-term impacts fall into three risk buckets: reputational, legal, and regulatory. She then turns to practical lessons: train the workforce, strengthen spam filters, run tabletop exercises, isolate infected devices immediately, secure backups offline, contact law enforcement quickly, do not rush engagement with the attacker, and communicate with each stakeholder group in a timely and tailored way. She also adds smart recommendations on canary files, forensic retainers, access reviews, logging, threat intelligence monitoring, and industry information sharing.

Finally, McDevitt ends on a note that compliance professionals should not miss. Betsy is not scapegoated. She is thanked for telling the truth and invited to participate in a phishing-resilience campaign for other employees. That is not sentimentality. That is culture. If your response to human error is humiliation, people will hide problems. If your response is accountability plus learning, people will surface them.

That may be the most important compliance lesson of all. Ransomware is a cyber crisis, but surviving it depends on culture, governance, and trust just as much as on technology.

I hope you have enjoyed reading about Aly’s case studies for CW. I am a columnist for Compliance Week.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 52 – The Big Jet Plane Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • Trump closes tariff loophole on cheap online goods from China MSN)
  • If A.I. Systems Become Conscious, Should They Have Rights? (NYT)
  • Sarah Hadden & Corporate Compliance Insights: “Failure was always a possibility. It just wasn’t an option.” (Ideas & Answers)
  • ‘Everybody’s Replaceable’: The New Ways Bosses Talk About Workers (WSJ)
  • Florida man casually offers officer a vodka spritzer during police chase, officials say (Fox 35 Orlando)
  • The Board’s role in ransomware planning. (Harvard Law School Forum on Corporate Governance)
  • DOJ National Security Division issued a Declination. (Crime, Corruption and Compliance)
  • Based on whistleblower tips, UBS will pay $511MM for Credit Suisse’s failure to live up to DPA. (ComplianceWeek)
  • Malaysia wants Tim Leissner. (WSJ)
  • What is risk paralysis? (FT)

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Greetings and Felicitations

Aly McDevitt on Ransomware Case Study, Part 2

Welcome to the Greetings and Felicitations, a podcast where I explore topics which might not seem to be directly related to compliance but clearly influence our profession. In this episode, we conclude a two-part series with Aly McDevitt, Data & Research Journalist at Compliance Week. We take a deep dive into her recent series case study on a ransomware attack on a fictional company. Highlights include:

·      Who are hackers? What is a cyber incident response playbook and how does each person handle their roles in the event of a ransomware attack?
·      How and when should stakeholders be notified? Who and what type of notification should be made?
·      What goes into the decision to pay? What are the pros and cons of each path?
·      What are some key lessons for companies from the story?
·      A hint of what Aly may have in store for future articles and series.
Resources
Ransomware case study in Compliance Week
Aly McDevitt

Categories
Everything Compliance

Episode 96, the Spring Arrives Edition


Welcome to the only roundtable podcast in compliance. The entire gang was also recently honored by W3 as a top talk show in podcasting. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Tom Fox and Matt Kelly. We conclude with our fan favorite Shout Outs and Rants.

1. Jay Rosen discusses the connection between corruption and the Russian invasion of Ukraine and the leadership differences between Presidents Putin and Zelensky. Rosen rants about Mavericks owner Mark Cuban over the allegations of former GM Donnie Nelson that Nelson was fired for reporting a sexual assault of a Maverick employee.

2. Matt Kelly looks cybersecurity and the state of proposed new rules from the SEC governing the conduct of public companies which sustain a cyber breach.  Kelly rants about West Virginia Senator Joe Manchin opposes electric cars because customers would have to wait too long at charging stations for batteries to be replaced (electric car batteries are recharged not replaced).

3. Jonathan Armstrong looks at the increase in cyber-attacks and ransomware demands and a GDPR enforcement action involving Tucker’s. Armstrong shouts out to TV show editor Marina Ovsyannikova who on live TV in Moscow, stood up to the President Putin by holding a sign which said, “Russian: “Don’t believe the propaganda. They’re lying to you here.” In English it said: “No war … Russians against war.”

4. Tom Fox discusses the recent District Court decision in the Coburn case and what it means for all involved; the DOJ, companies under FCPA investigation and counsel who perform internal investigations. Fox rants about Texas AG Ken Paxton who once again disobeyed a District Court injunction forbidding the state of Texas from investigating the parents of transgender teens for child abuse. 

The members of the Everything Compliance are:
•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com
The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Greetings and Felicitations

Aly McDevitt on Ransomware Case Study, Part 1

Welcome to the Greetings and Felicitations, a podcast where I explore topics which might not seem to be directly related to compliance but clearly influence our profession. In this episode, we begin a two-part series with Aly McDevitt, Data & Research Journalist at Compliance Week. We take a deep dive into her series case study on a ransomware attack on a fictional company. Highlights include:

·      Why this subject matter for a deep dive?
·      The research that went into the piece. How many people interviewed and how long was the research process?
·      Writing style. Locked yourself in a room and not come out until its done or more collaborative process with an editor?
·      Story Synopsis- how common is Betty’s mistake?
·      What is the role of the CIRT and MSSP? How critical was VE’s preparation to its ability to respond?
Resources
Ransomware case study in Compliance Week
Aly McDevitt

Categories
Everything Compliance

Episode 92 – the Issues in 2022 Edition


Welcome to the only roundtable podcast in compliance. The entire gang was also thrilled to be honored by W3 as a top talk show in podcasting. In this episode, we have the sextet of Karen Woody, Jonathan Armstrong, Matt Kelly and Jay Rosen. We discuss some of the key issues we will be watching in 2022.

1. Karen Woody will be watching the legal evolution around SPACs and expansion of insider trading laws. Karen shouts out to workers in the travel industry for getting travelers home during the holidays.

2. Jay Rosen reviews the considers the Holmes verdict, Tyler Schultz/whistleblowers and the celebrity BOD failure at Theranos. Rosen shouts out to Antonio Brown.

3. Matt Kelly considers the Log4j cybersecurity threat and the SEC move to regulate ESG. Kelly rants about Elon Musk selling his Tesla stock immediately before the company announces a massive product recall.

4. Jonathan Armstrong tackles several topics; ransomware, Safe Harbor, EU Whistleblower Directive, Supply Chain & China. Armstrong shouts out Nicholas Burk and synthetic ransomware attacks.

5. Jonathan Marks looks at the intersection of crypto, currency and crime. Marks rants about the inconsistent information emanating from the CDC.

6. Tom Fox rants about Novak Djokovic.  

The members of the Everything Compliance are:
•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com
The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Into the Weeds

Ransomware Attacks and Internal Controls


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Today, Matt and Tom take a deep dive into the difference between a privacy breach and a ransomware attack.
Some of the issues we consider are:

  • Why are privacy breaches different from ransomware attacks?
  • What is an authenticated v. unauthenticated cyber-attack?
  • Why would the SEC get involved?
  • What are the internal controls need to prevent and detect a ransomware attack? How will they be audited?
  • How can a material weakness in internal controls around ransomware lead to a financial restatement?
  • What will the SEC look at from an enforcement angle?

Resources
Matt in Radical Compliance

Categories
Compliance Kitchen

Treasury’s actions against cybercrime and ransomware


In this episode, The Kitchen takes a look at the Treasury’s actions against cybercrime and ransomware.

Categories
Daily Compliance News

September 18, 2021 the Sorry Rudy edition


In today’s edition of Daily Compliance News:

  • Court denies Giuliani request to withhold documents. (WSJ)
  • Companies grapple with the Covid vaccine mandate. (WSJ)
  • IMF chief denies undue influence. (NYT)
  • Treasury to tackle ransomware. (WaPo)
Categories
Fraud Eats Strategy

The Anatomy of a Ransomware Attack – Part 1

Ransomware is a type of malware used by criminal organizations to gain unlawful access to computer networks and encrypt the data stored on those networks and render it unusable. The criminal organization then holds the data hostage until a ransom payment is made. If the ransom is not paid, the victim organization’s data will either remain encrypted and unusable or it could be released to the public. The attack on Colonial Pipeline showcased not only how ineffective cyber security can be. It also served to illustrate the potential scale of disruption that can be caused when ransomware attacks target critical infrastructure.

>

Join us each week as we take a deep dive into the various forms of fraud across the world and discuss crime families, penny stock boiler rooms, international money launderers, narco-traffickers, oligarchs, dictators, warlords, kleptocrats and more.

Scott Moritz is a leading authority on white-collar crime, anti-corruption, and in the evaluation, design, remediation, implementation, and administration of corporate compliance programs, codes of conduct. He is also considered an authority in the establishment, training, and oversight of the investigative protocols carried out by financial intelligence, corporate security, and internal audit units.