NEW YORK, Nov 17 (Reuters Breakingviews) – A surge in online hacking presents corporate executives a new challenge, and a new set of costs to be borne. And in the wake of an attack on the U.S. arm of China’s biggest bank, a bid to stamp out ransom payments to cybercriminals looks far-fetched.
Joe Biden’s administration has drummed up support amongst 40 allies of the United States for a collective pledge to never pay ransoms in hopes that it will starve cybercriminals of their key funding source. The White House has even considered an outright ban on firms making ransom payments. In theory, it’s a great idea. If companies can’t pay ransom, there’s no point in asking for it.
In the real world things are more fragile. A unit of Industrial and Commercial Bank of China (601398.SS) last week fell victim to a ransomware attack that wasn’t just a problem for the Chinese lender’s employees and customers: As a bank that provides clearing for U.S. Treasuries, the attack added friction to one of the world’s most critical financial markets. ICBC’s self-identified attacker, a gang of digital extortionists called Lockbit, says ICBC paid up. If a critical firm – say a bank with even bigger U.S. operations – faced prolonged downtime, things could get nasty.
That doesn’t mean companies should just give in to criminals. Companies involved in recent attacks, from consumer goods maker Clorox (CLX.N) to casino operator Caesars Entertainment (CZR.O), have had different responses. But more firms are having to make the choice. Digital analytics firm Chainalysis reckons ransomware attackers siphoned at least $457 million from victims last year, likely a low estimate as companies don’t typically disclose much detail around such incidents.
The alternative is to be unhackable – which means spending ever more on defenses. But there are no guarantees. Ransomed firms that had backups of crucial company information got access to their data back within a week just 45% of the time, according to a survey by cybersecurity firm Sophos, comparable to those who paid the ransom. But almost one-quarter of firms with backups still waited a month or more.
If politicians really want to ban companies from paying ransom, they could help meet the costs when firms get hit, which can be considerable. That’s unlikely to happen any time soon given the tightness of U.S. government finances. Companies should therefore be prepared to shell out themselves, one way or another.
Follow @AnitaRamaswamy on X
The Industrial and Commercial Bank of China’s U.S. arm was hit by a ransomware attack that disrupted some trades in the U.S. Treasury market on Nov. 9.
Lockbit, a ransomware gang that says it was responsible for the attack, told Reuters on Nov. 13 that ICBC had paid it a ransom and that the deal was “closed” as a result. ICBC has not confirmed that claim.
A senior White House official said on Oct. 31 that the U.S. government planned to lead an alliance of 40 countries in a pledge to never pay ransom to cybercriminals.
Editing by John Foley and Aditya Sriwatsav
Our Standards: The Thomson Reuters Trust Principles.
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias.