By Leeann Habte, Best Best & Krieger

BB&KRecent ransomware attacks on utilities and municipalities have heightened awareness of the all-too-common, costly threat. Hackers are stealing and disrupting data and shutting down operations — with a shifting focus on critical infrastructure that can impact everyday services and utilities.

A Global Issue with Local Implications

The threat has become so imminent, the Biden Administration released an executive order on improving the nation’s cybersecurity earlier this month. The comprehensive guidelines are featured here, but key takeaways for any municipality’s IT department include employing:

  • Multi-factor authentication
  • End-point detection and response
  • Encryption
  • A reliable cyber security team
  • Updated patching systems
  • Segmentation in your networks

Prevent the Siege 

There are preventative measures to safeguard your municipality to take now:

  • Prepare a security incident response plan. This plan is essential because, in the event your municipality is hit by ransomware attack, a series of emergency measures need to be immediately activated to protect you and your constituents – it requires contracts, relationships with forensic analysts, recovery of data and much more.

This plan should be tabletop tested to help determine which staff will be an essential part of your response team, gauge where you get stuck, how you can utilize resources, how to avoid leaks, order of communications and other key issues that may only come about with a full run through. 

  • Invest in security infrastructure and insurance. Large municipalities may review their security plans to address current threats, while smaller ones can outsource security to have the specialized expertise and shared cost of an outsourced security solution.

Cybersecurity insurance is critical, and certain insurance requires use of their vendors for maximum coverage. There may be exclusions for ransomware payments so the security incident response plan needs to include review of the insurance coverage.

  • Have appropriate vendors in place. Security is only as good as your vendors handling IT and operations. Think through how your municipality operates, conduct appropriate diligence on vendors, and have contracted protections in case of ransomware attacks that affect data or operations. 

Ensure you have vetted personnel and/or vendors who can stop an attack and recover your network. This will require extensive forensic analysis to determine if data was stolen and how far the attack penetrated your systems. 

Should it become necessary to negotiate with ransomware attackers, turn to an organization that specializes in this — they know attackers and can help navigate the considerations of whether to pay. 

  • Engage legal counsel. You will also need legal counsel with experience in data security and privacy to advise on your regulatory obligations to report the incident and to mitigate any harm that may result if data was accessed or stolen. There are certain legal prohibitions on paying foreign actors and potential consequences if those entities are identified by the federal government. There are also legal requirements for breach reporting to individuals whose data was compromised. Review of the security incident under attorney-client privilege will help you minimize your risks if you are later sued.  

Although law enforcement involvement would seem like an obvious first step, there is actually little that they can do to help you as the crisis unfolds and their involvement will be important after the fact to help locate and identify the perpetrators of the attack. 

  • Engage a specialist in crisis communication. You may need to engage your municipality’s public information officials or hire a public relations firm. Having a communication plan in place is essential to determine the who, what, when, why and how of the incident to your constituents and stakeholders. All communication efforts will need to include input from forensic analysts, legal counsel, address whether a data breach occurred and a review of what data was compromised. 
  • Have a back-up system and tested back-up plan. If data is not backed up, it is more likely you will need to pay ransom to get data back. Ransomware may encrypt data so it can’t be used, may exfiltrate data and threaten to publish it on the dark web, or may stop systems from operating and affect key infrastructure. A continuity plan needs to be in place so a municipality’s key services can continue to operate.
  • Conduct targeted employee training. Train your employees to prevent phishing attacks, as this is the most common way ransomware gets access to your system and use precautions like two-factor identification when employees access your networks. 

A ransomware attack can negatively impact your municipality in several practical and legal ways. The best defense it to be prepared and have a plan in place with vendors and legal counsel on standby so they can move immediately if this happens. 

 

Best Best & Krieger LLP Partner Leeann Habte counsels clients on information privacy and security programs. She is head of the firm’s Privacy & Cybersecurity practice and can be reached at leeann.habte@bbklaw.com.