Ransomware attacks by North Korea and others cause the US Treasury Department to threaten criminal charges against insurance companies or insureds who pay.
DENVER, CO, – In response to relentless cyber and ransomware attacks by North Korea, Iran and others against U.S. businesses, on October 1, 2020 the U.S. Department of the Treasury issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” This advisory threatens companies and their intermediaries (insurance companies and/or law firms) with civil fines and criminal penalties of up to $1 million and 20 years in prison if they make ransomware payments to hacking groups that have been identified as “Specially Designated Nationals (SDNs).” That’s government-speak for terrorists and others trying to harm us.
The threat of Treasury Department prosecutions is one more example of the federal government’s efforts to treat cybersecurity as the national security threat it is. The Department of Defense (DoD) is now aggressively acting to protect the Defense Industrial Base (DIB) with its Cybersecurity Maturity Model Certification (CMMC) program.T
The General Services Administration (GSA) quickly followed suit and announced that it was incorporating CMMC into several GSA contracts. Additional federal agencies are expected to quickly adopt the CMMC model of requiring companies to obtain certifications that their IT infrastructure is secure prior to being awarded federal contracts. AND the CMMC Accreditation Body is in discussions with the EU, UK and Canada about adoption of the CMMC as their standard as well.
The thrust of all of this is clear. No cybersecurity? No government contracts.
This particular U.S. Department of Treasury prosecution threat was brought to a head when it was discovered that insurance companies were pressuring insured businesses to pay ransomware demands instead of resisting such payments. Insurance companies determined that it was less expensive to pay the ransom demand than it was to pay the business interruption and other damages associated with cyber-attacks. But insurance companies paying ransoms increased the incentive for a vast array of criminal enterprises including North Korea, Russia, China and Iran who are using such payments and criminal activities to fund their countries.
“Thank God we are finally taking action on this matter,” says Ray Hutchins, partner in Turnkey Cybersecurity and Privacy Solutions LLC (TCPS). “The US and our allies are losing hundreds of billions or more in cash and intellectual property EVERY YEAR. How long can we sustain such losses before the system collapses?”
Mitch Tanenbaum, Hutchins’ partner in TCPS says, “The least expensive option for both insurance companies and businesses they insure BY FAR is to build professional cybersecurity programs that defeat hackers before ransomware or insurance payments become an issue. This is not rocket science, but it is hard…that’s why companies resist doing it.”
TCPS is the first and (so far) the ONLY company to offer “turnkey” cybersecurity and privacy programs to small to medium-sized companies. These are comprehensive, pre-engineered and professionally supported cybersecurity and privacy programs that have been designed for companies that don’t have the IT and cybersecurity resources to develop, deploy and maintain programs on their own.
“We know exactly how hard it is for a company to build and maintain a professional cybersecurity program. We have been helping companies do it for years,” Tanenbaum says. “None of us have any choice. Our capitalistic system operates on top of an IT infrastructure which is inherently insecure. The sooner we quit fooling around and protect it, the safer we’ll all be.”
The only way for a company to tackle cybersecurity is to deploy, maintain, and document professional cybersecurity programs. TCPS’s turnkey programs are by far the most cost-effective and fastest-to-deploy cybersecurity option for small to medium-sized companies. They help companies reduce risk and increase competitiveness.
“It takes years to develop cybersecurity programs that include all the processes, content, and support required,” Hutchins says. “We have done it (and are still doing it), but we have no illusions about our capability to scale and deploy our products to the extent required to protect our country. “