Pay What You Owe: Fiduciary Duty and Ransomware


Posted on in Podcasts

 

In today’s world, data is currency. With that in mind, organizations need to consider the fiduciary duty they owe to data subjects, especially when they suffer a ransomware attack. This session outlines what types of fiduciary duties organizations have, why paying a ransom falls under those duties, how negotiations mitigate harm, and three steps for effectively responding to a ransomware attack.


Podcast Transcript

Kacy Zurkus:
You're listening to the RSA Conference Podcast, where the world talks security. Hello, listeners, and welcome to this installment of our RSAC 365 Podcast Series. This month's theme is analytics, intelligence, and response. Today we're joined by two guests who will be talking about the evolving reality that data is quickly becoming currency in today's world. With this reality in mind, what is the company's fiduciary duty to its data subjects? Who are its data subjects, particularly as it relates to ransomware?

Kacy Zurkus:
But before I turn it over to my guests and have them introduce themselves, I want to let you know that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe on SoundCloud or your preferred podcast app so you can be notified when new tracks are posted. Now I'd like to ask Karen and Rob to tell us a little bit about themselves before we dive into today's topic. Karen, let's start with you.

Karen Walsh:
Well, hey. My background is basically I spent 12 years doing internal audit for community banks, predominantly in the Bank Secrecy Act area. I am a lawyer who never practiced. I like to call it retired, simply because it didn't seem like a lifestyle that would work for me. Today I'm a subject matter expert for cybersecurity and privacy compliance because of my background experience.

Kacy Zurkus:
Thanks for joining us today. Rob?

Robert Fitzgerald:
Hi, Kacy. Thanks for having me on. My name's Rob Fitzgerald. I'm the founder of Arcas Risk Management. We are an organization that is focused on bringing enterprise class cybersecurity solutions to organizations of all sizes. We've been helping organizations understand what they need when it comes to security, risk, and compliance.

Kacy Zurkus:
Welcome to both of you. It's a pleasure to have you. Rob and Karen, I want to start with asking you both about what are the types of fiduciary duties that an organization might have? Rob, why don't you start us off?

Robert Fitzgerald:
Historically, when people think of fiduciary duties, they're thinking about specifically financial obligations, as well as they're thinking about regulatory obligations that they may have. But I think beyond that, what we've seen over the past 10, 15 years, and as we move forward, is there's a significant amount of value in intellectual property and in data. I think that we're seeing a shift contractually, meaning between that are also creating fiduciary responsibilities in how data is handled and managed.

Karen Walsh:
I think Rob you're exactly right. I bring on my lawyer hat and I put it on my head and I look at Black's law dictionary. When you look at the definition of fiduciary duty, they really focus on the trust and confidence involved in managing something. They talk about scrupulous good faith and candor. I think in cyber security and privacy specifically, we're seeing an increased request for that transparency or candor in how companies manage data.

Karen Walsh:
People are concerned that companies aren't using good faith when managing their data, and people are being asked to put a lot of trust and confidence in organizations. I think beyond the financial impact of being a fiduciary, organizations increasingly have an ethical responsibility to talk about it a lot. Rob mentioned the money a few seconds ago, and the best thing to think about is a living trust where you're managing assets for an elderly relative and you need to make sure that you're doing what's best for the relative's finances and not wasting money, or not embezzling money. I think that's something that applies particularly well to cyber security and privacy and data.

Kacy Zurkus:
I think it's so interesting. Karen, I want to tap into your background and in the work that you've done and ask you if you could talk a little bit about banks in particular and the fiduciary duty that they have to both their clients and their boards, and the impact that this increased reporting requirements under OFAC rules will have on banks of all sizes.

Karen Walsh:
Kacy, thank you for asking that because it's a passion point of mine. Having worked predominantly with community banks, and having done Bank Secrecy Act audits, I'm fairly well acquainted with running OFAC checks. I understand the belief that if you can track a ransomware payment at the point of payment, in other words, through a bank and through OFAC checks, that you have a good chance of surfacing that cyber criminal.

Karen Walsh:
The flip side of that is I think it puts a lot of burden on banks that are smaller. Bank of America is going to have a ton of resources that a local community bank in Connecticut isn't going to have. I've seen banks have hard times with OFAC checks because even if they're running it through a system, somebody does something wrong and doesn't mark it correctly, and that leads back to the fiduciary duty conversation, an impact in their ability to meet their fiduciary duty to their customers and to their shareholders because a compliance risk and a compliance violation can come with fines and penalties, and that impacts your financials.

Karen Walsh:
Additionally, it comes with an operational cost in that they have to spend extra time doing this. Your local community banks may end up, if you have, as Rob handles often, and I can have him chime in after, small and mid-sized businesses maybe using those community banks. If we look at the Kaseya event, incident, that predominantly hit the small and mid-size companies. So what about their banks? What is the long-reaching impact to those smaller banks that those smaller customers might be doing business at? Rob?

Robert Fitzgerald:
I think you're absolutely right, Karen, and it's interesting because it's not just banks, but you hit on it. This is impacting the community as a whole. That's because as you look at the organizations that are impacted and where they sit, it reflects or resonates throughout. We're talking about banks, but there's also credit unions, there's advisory firms, there's hedge funds. All of these organizations have to figure out how they're going to handle this. I think it's significant because they don't have the resources to do that.

Robert Fitzgerald:
Quite frankly, I'm not even sure OFAC is able to keep up with the number of ransomware attacks that are happening and appear to be just increasing as time goes on, and managing how things like ransomware specifically are impacting demands because it's very easy, cheap, free for a malicious actor to create a new wallet. How are you tracking whether or not this is an OFAC-listed organization or just more of a traditional smashing, grab mugging of sorts using computer and technology?

Kacy Zurkus:
Rob, I appreciate your point that... We talked about banks in the previous question, but certainly the issue of ransomware and the fiduciary duty as it relates to ransomware impacts. As you said, it trickles out beyond and impacts virtually every organization or company. As a follow-up, and moving, maybe you can explain why paying a ransom falls under those fiduciary duties for organizations.

Robert Fitzgerald:
Thanks, Kacy. I'm going to get a lot of hate for this, but I think it's something that we need to be thinking about and addressing. The reality is there is this idea that when I as an organization or an individual provide information or data or money as an obligation to another organization, that they're going to treat that in a secure way, they're going to follow a set of guidelines, which have socially been accepted. I can't go and deposit my money in a bank and expect that the next day, "Hey, we were hacked. You no longer have your money."

Robert Fitzgerald:
That's the same with not just banking, but that's the same with manufacturing and health services, and all of the other ways that we instill or provide or share trust with an organization. The issue becomes, if you're not willing as an organization, as a victim, to negotiate with a ransomware gang, how are you showing good faith that you're looking to protect my data, our collective data, the data, the information, the financial resources of your customers, your partners, your vendors?

Robert Fitzgerald:
It's very difficult to do that. There's quite a few people, executives, that will say time and time again, "I'll never negotiate ransomware." Ultimately, what happens is when you look at the financial aspects of what that means, they end up having to go back on that empty threat because they don't have appropriate security or backup systems or logs in place because they have to generate payroll checks on the coming Friday. They have to report out information to regulatory boards on the coming month or whatever it is, and they don't have access to that information.

Robert Fitzgerald:
So when we really look at why does paying fall under a fiduciary duty, because ultimately, in more cases than not, when an organization is not fully prepared and becomes a victim of ransomware, the fastest, easiest, cheapest thing to do is to pay, collect back as much data and information that they can in that payment, and then work to harden their environment.

Robert Fitzgerald:
We help lots of companies, large and small, but in particular, in this mid market space that have been trying to grow over their lifetime, as an organization, saying they're doing the things that they're supposed to be doing, that the Fortune 100 are doing, and then when they're hit with ransomware, they're essentially caught and exposed for the fact that they're not doing the things they said they were doing.

Robert Fitzgerald:
And so, they now have to try to regroup, and the best way to do that is to appease the customers, whether it be healthcare customers, manufacturing customers, financial customers, to say, "We had an incident. This is what we did to resolve it. And now we're working to put a roadmap in place to ensure that this never happens again."

Karen Walsh:
I think, just to add on and clarify, again, when I put my lawyer hat on, I think in terms of what the legal ramifications are. Paying a ransom is really the way that the organization protects the trust. You've already broken it, maybe because you had some vulnerability that could have been cashed. In some cases, it's a sophisticated attack. When you are mitigating the potential impact to your financial side, reducing the amount through a negotiation, reducing the impact to customers by getting that data back, as Rob said.

Karen Walsh:
By reducing all of the non-direct costs like legal fees that are associated with it, then you're protecting your shareholders because you're limiting costs. So you're meeting that fiduciary duty, and you're also providing the fiduciary duty necessary for customers who are placing their trust in you in terms of how you're managing their data.

Robert Fitzgerald:
Karen, I think you're right. I mean, at the end of the day, both of us share a perspective of, how do we help our clients stay out of the courtroom? How do we help our victims stay out of the courtroom as much as possible? When you look at it, it's a pretty straightforward conversation of, have you behaved in a way... Have you taken the actions that show that you at least attempted to clean up the mess that you're in?

Robert Fitzgerald:
I'm not looking to victim blame here, but what I am looking to say is, there are actions that can be taken. And then, a lot of times, this is one that, while it sounds there's a lot of bravado around, "We will never pay," it's not necessarily a good business decision to stick to that theme. Oftentimes, more often than not, customers can be empathetic, if not fully sympathetic to, "Wow, you were a victim, but you went above and beyond to protect our relationship the best that you could at that time. I get it. Let's move on."

Robert Fitzgerald:
As opposed to, "Let me get this right. You could have protected my information. You could have been back up and running, so that manufacturing your widgets so that I wouldn't miss my deadlines. And yet your ego got in the way to say, no way, we're not going to pay." Well, let me tell you, that's going to hurt twice because you now impacted me without sharing with me what the choices were. That's not acceptable. That breaks the trust.

Kacy Zurkus:
I want to hop in here and talk a little bit about what the preparation, that action, that organizations can take actually looks like. Yeah, the customer appreciates, to your point, Rob, when organizations can say, "You've done what you could to protect my data." But what does that actually look like? How can companies reach and maintain an appropriate level of security compliance in order to really be in compliance with their fiduciary responsibility?

Robert Fitzgerald:
Great question. In my mind, there's really two parts to this. The first part is understanding what type of data they have and where it's located, and how it's protected. And so, in this part here are the people and tools in place and working correctly to ensure that they know where the data is, and they know who's using the data and that the people using or accessing the data have access to it.

Robert Fitzgerald:
In today's day and age, it's very difficult to be able to justify or rationalize not using multi-factor authentication. It's very difficult, in larger organizations, to rationalize not using privileged access management solutions. It's very difficult to rationalize not having effective immutable or offline backup solutions for data, so that if you are hit, whether it be from a natural disaster or a ransomware attack, you're able to recover that data quickly.

Robert Fitzgerald:
On the flip side, the second part of that is really Karen's wheelhouse. It's the policies. It's the procedures. It's the documentation in the program around building and maintaining an auditable program that checks how compliant the organization is being. That compliance can be regulatory compliance. More often than not, we're seeing contractual compliance, meaning two organizations choose to work together in some format, and one is signing a contract that states they will handle data, handle breach events, handle information in a specific way, that they no longer actually adhere to. They sign the paper, but they don't do the work. This is one of Karen's specialties where, "Let's build out a program and talk to that."

Kacy Zurkus:
Rob, you had made the point that organizations in theory take the stance of, "We won't negotiate with ransomware attackers." And then, we talked about, what can organizations do to reach and maintain this appropriate level of security compliance? In theory, if a company is doing all that you said, they are able to stand by that stance of, "We don't need to negotiate with these ransomware attackers because we have this level of security that we can get up and going and not suffer the ramifications of this attack." Is that correct?

Robert Fitzgerald:
I love this question, Kacy. I think the answer is yes. It's not an unequivocal yes. It's more of a lawyer depends yes. But the answer is yes. Think of it this way. If an organization has data that they know is sensitive and it's stored in an encrypted manner, and only certain individuals have access to that encrypted data, and somehow the server or the database or whatever it is, the application gets encrypted from the ransomware gang.

Robert Fitzgerald:
They can go back and say, "Hey, look, we have a compliance program. We do internal audits. We use an external auditor or assessor to show that this is where the data is. What they stole is never good. It means we have a hole in our architecture, someplace that we need to fix. It's not usable. We should be safe." And we have these logs, or we have these processes in place, and we can show that to the people we have relationships, the organizations we have relationships with, to give them peace of mind.

Robert Fitzgerald:
At that point in time, if they can restore from backups, and the only thing impacted is encrypted data, well, then there's not necessarily a need to go that far because you've already put in place or followed your fiduciary duties and responsibilities, from my perspective, technical perspective.

Karen Walsh:
To add on to that, Rob, you're exactly right. If you look at the traditional definition of fiduciary, it focuses on having scrupulous, good faith and candor. Compliance, for as much as people don't enjoy it, it gives you that candor, that transparency to prove that the organization is following the best practices it can follow. The reality of today's data security and data privacy is there's always the opportunity to be breached. Nothing is ever going to be totally secure, so becomes, how much did you do?

Karen Walsh:
Were you doing what you were supposed to and were you going above and beyond the minimum? If you're just hitting the minimum baseline, does that really fall under scrupulous good faith? Possibly. But I think if you have all of the documentation, and you've tested and retested, and you're continuously making sure that you review your controls and their effectiveness, then I think you're in a better place from that argument.

Robert Fitzgerald:
I agree.

Kacy Zurkus:
It's a great point. Yeah. Yeah. Karen, I wanted to ask you about this term data fiduciary. I would love it if you could explain for our listeners what that means, both from a literal definition standpoint, but also from an impact perspective when it comes to ransomware.

Karen Walsh:
From a literal perspective, I think this is a fascinating term. So thank you for asking, Kacy. I've been reading about this and it currently only exists in one law. India's personal data protection bill from 2019 used it for the first time. When I looked at it, they defined it as any person, including the state, accompanying any juristic entity or any individual who alone or in conjunction with others, determines the purpose and means of processing personal data.

Karen Walsh:
The short mom lawyer version of that is, if you are involved in managing data, you have to be in scrupulous, good faith and candor about what you are doing with that information. We did see that the proposed New York Privacy Act that didn't pass in 2019 also included the term. I think fundamentally what we're seeing is a shift. We always think of data in terms of bytes, binary, and code and things that aren't tangible.

Karen Walsh:
Today, specifically in terms of ransomware attacks, data is a currency. Organizations collect a lot of it. Organizations make a lot of money off of it, whether it's because they're selling it or because they're using it to provide better customer experiences, insert all the marketing words here, the reality is it's not a huge job to see this duty to manage data and to be a data fiduciary as being any different from holding money in trust.

Karen Walsh:
So I think when we consider holding data as similar to that living trust example I gave up earlier, just like someone who has a trust or for a living trust needs to manage that person's financial assets appropriately, keep them safe, ensure that there's no investments that go south if you know it could, a ransomware attack is the same thing. They have a duty, potentially, under a data fiduciary term, to get the data back and reduce the incidents impact on their customers or those data subjects.

Karen Walsh:
I think there's a lot of interplay here where we're seeing terms start to evolve. If we've already seen them in 2019, I don't think it's out of the realm of possibility that it's something that could catch on. We had a pandemic in 2020, a lot of regulatory requirements and legislative activities moved away from what they were looking to do prior to the pandemic.

Karen Walsh:
So I do think that it's something organizations should at the very least consider because most of our security and privacy compliance mandates hint at the responsibility organizations have. If you look at the GDPR, it doesn't use the term data fiduciary, but it's very specific about the fact that companies have a responsibility to data subject. I think it's a term that if it doesn't evolve as a specific literal term, as an idea will come to the forefront.

Kacy Zurkus:
Yeah. It's very interesting. When you think about that idea and its evolution, how does that then inform what businesses and government entities should be considering when they are thinking about whether to pay a ransom?

Karen Walsh:
Organizations, governmental entities need to consider the fact that data is a currency. From a business perspective, a fiduciary duty is fairly straightforward. You have to do everything in your power to protect the assets. Digital assets and data assets are now assets. You have to make sure that nothing you do can hurt the real owner. When organizations are considering their position and their security, they need to start thinking about whether they have done everything they could to protect the assets as part of their fiduciary duty, and as part of daily business.

Karen Walsh:
I think we can take some questions that financial fiduciaries need to ask themselves and reconfigure them a bit. Some questions might be, is there a conflict of interest that could hurt my customers if I don't pay the ransom? When Rob was talking about taking a hard line, is your hard line against paying the ransom for pride or whatever other purposes harming your customers whose data has been stolen?

Karen Walsh:
If there's a conflict of interest, you may not be doing your best to prevent harm. I think I need to ask, what would the potential impact to my customer be if I don't pay the ransom? Will not paying it hurt my customer? If not paying it means that that data is really going to be leaked on the dark web, or that customer's identity is going to be stolen, have you undermined that trust? Are you really acting with scrupulous good faith? Am I documenting my activities to prove that I'm doing everything I can to protect assets?

Karen Walsh:
Rob brought up compliance earlier. We've talked about it briefly, but if you're documenting what you're doing, that's the transparency or the candor from Black's law, that gets to whether or not you're truly trying to do the right thing and doing it as best you can. People make mistakes. Even fiduciaries make mistakes. But are you more than negligent? Because fiduciary standard is a strict liability standard. So it's not just, "Oh, I made an error." It's "This error really, really, really was a terrible life decision."

Karen Walsh:
Am I complying with all the laws that I need to meet? And increasingly that's difficult for organizations. I spend a lot of time talking about compliance. Even as Rob mentioned earlier, health care providers, they have to meet multiple ones. They have to meet HIPAA. Yes. But if they're collecting payments, they need to meet PCI DSS. Under other regulations, you might have to deal with California laws, or New York laws.

Karen Walsh:
Health insurance companies I believe would fall under the New York DFS privacy regulation. Don't quote me because I don't have it in front of me. But I believe that they might. Am I monitoring everyone involved in the process to make sure that they are doing what they need to do, and that they're doing it correctly? I think all of those things come together to help you ask questions about whether you are meeting those fiduciary duties, and whether you're doing the right thing as part of choosing to or not to pay a ransom.

Kacy Zurkus:
As much as I would not want to have been any of the folks that needed to make that decision, that colonial pipeline, or JB Meats, I really would be fascinated to have a seat at the table and hear that conversation and really understand the dialogue that went on in the aftermath of these attacks, to make these decisions about, well, how do we move forward? Rob, I want to turn to you for a moment and understand a little bit about, if we look at that decision to pay a ransom, we understand that it's complicated. Can you talk a bit about how to help clients both stay out of court and pay the least amount of ransom possible?

Robert Fitzgerald:
There's a few questions in that question. The first is maybe the best way to stay out of court is to put in place the tools to avoid this happening, or minimize the impact so that it's caught before there's a permanent impact. I mean, that's obvious. But beyond that, I think where we get into is a conversation between what resources do we as a victim have available to us right now, and how can we use those resources to help us?

Robert Fitzgerald:
The other piece is understanding the value, the inherent value, to the point that you were just making, Kacy, of the systems and data that's been encrypted. If you understand that the environment that's encrypted is small in scope, or not necessarily relevant, or outdated in some way, shape, or form, you're able to take that into negotiations and use that information in the negotiations.

Robert Fitzgerald:
If it's the most critical component of your business, it's been encrypted, you want to understand what needs to happen to get that data back, or those systems back, so that you can be up and running as fast as possible. I think having clarity around the prioritization of systems and the data on those systems is important when you go into these negotiations. And then, why it's important, it's because the next question you want to ask is, once we decrypt the systems, how quickly can we get back up and running as an organization?

Robert Fitzgerald:
What does that new world, post a ransomware world, look like within our organization? From my perspective, it's always important in understanding what is and is not impacted, and what that impact looks like. And then, once you start negotiating, and let's get down to brass tacks here, once you start negotiating with the ransomware gang, what you are willing to live with and not. And often it ties back to, where are you going to be spending your money?

Robert Fitzgerald:
Is it going to be on the ransomware front, or is it going to be on the legal front? Or is it going to be on the recovery front? Typically, it's a mix of all three areas, but the more you can understand what's been impacted and what that impact looks like to the organization, Colonial Pipeline is a great example. They understood what happened and what needed to happen to be able to make sure that they could get the gas pipeline up and running again as quickly as possible.

Robert Fitzgerald:
Even that took a number of days. This was not something where... And it's never, let's just be real clear here. Even the simplest ransomware negotiations, from starting the negotiation, not the attack itself, but starting the negotiation, to finalizing the terms of the negotiation with the ransomware gang, the price you're going to pay, to transferring the different types of financial transfers that have to happen to be able to put the money in the ransomware gang's wallet, is no less than a week.

Robert Fitzgerald:
It takes time to go through all of this. And so, when organizations are thinking, "Geez, what would happen if we became a victim of ransomware?" They need to be thinking not in terms of minutes or hours or even days, but they need to be thinking in terms of weeks. Even the smallest organization, it's going to take approximately a week. Now, maybe it's five days, but realistically, so many organizations haven't thought through this, that they don't know.

Robert Fitzgerald:
Quite frankly, exactly to your question, they also don't know how to negotiate, which is why it's always important, from our perspective, to bring in... I mean, this is what we do, bring in an outside negotiator, because with an outside negotiator, there's no emotion tied to this. It's simply, "Let's make this as transactional as possible," and then help them get to a point where we can recover as quickly as possible.

Robert Fitzgerald:
When we're negotiating, it's important to understand, where's the data? How much is it? Which machines do we really care about? Because if it's a hundred machines and you only care about five, you have an ability to change how you're going to negotiate. Whereas if it's a hundred machines and all 100 are absolutely critical to be up and running again, for whatever reason, your ability to negotiate is significantly less, because even if you say, "Yes, I'll pay the full amount of ransom," you're still about a week away before the machines are decrypted and the money has been transferred, the wallet's been transferred, and the machines are decrypted, if they even decrypt at all.

Kacy Zurkus:
Obviously, the goal of an organization's cybersecurity strategy is to mitigate. Whether to pay or not pay, if you're hit with a ransomware attack, is really comes down to mitigating harm. And so, it sounds like, Rob, what you're saying is negotiations can actually help you mitigate harm in response to an attack. Karen, do you have anything to add to that about how negotiations can actually mitigate harm?

Karen Walsh:
I think fundamentally, it boils down to mitigating the impact to your financials. If you're doing a ransomware negotiation the way Rob is discussing, you're definitely doing your best to reduce the overall impact on your financial accounting. Additionally, if you want to take data into account under the concept of a data fiduciary, the faster you get data back, the sooner you get that assurance over your data coming back to you and not being put out on the dark web or whatever they plan to do with it, you're doing your best.

Karen Walsh:
You're meeting that requirement of trying to protect it as much as possible. The longer you wait, the longer the impact is to your operating costs, your compliance costs, your legal costs, all of that adds up. So when you look at it, in terms of fiduciary duty to shareholders, you need to think about how you can mitigate that impact. When you look about it from the perspective of managing data and people putting their trust in you to hold that data, you need to consider how fast you can provide the assurance that you have done what you can to keep those people from suffering harm.

Karen Walsh:
So I think the sooner you get on the negotiation, the more you can bring down the cost, the faster you can bring it to a resolution, the better you're upholding your, for lack of a better aphorism, end of the deal.

Kacy Zurkus:
The industry is certainly evolving, as our conversations about ransomware for sure. It's so easy if things are black and white and we can just say, "No, we don't negotiate with ransomware attackers, and we don't pay the ransom." But this conversation has opened up the gray colors in between, and pointed to the very real challenges that organizations deal with, and the real, honest, and sometimes difficult conversations that need to happen in response to these attacks, which are unfortunately becoming all too frequent.

Kacy Zurkus:
We know that businesses are continuing to grapple with these security strategies, and I so appreciate both of you joining us to have this conversation today. Before we wrap up, do either of you have any parting words for our listeners?

Karen Walsh:
Honestly, at the end of the day, the best thing companies can do is focus on resilience and preparedness. From the regulatory perspective, I really think that we need to focus more on risk. We talk about risk piece a great deal in compliance. I don't think regulatory actors follow through on that. I think they want it to be black and white. I don't think they're willing to, as you pointed out, see the gray in between those two lines.

Karen Walsh:
Instead of saying, "Someone who gets breached is bad. Someone who experiences a ransomware attack clearly has terrible security," focusing more on, are they prepared? Are they resilient? How fast can they get everything cleaned up? How fast can they remediate? How fast can they recover? That should really be a bigger message because we're never going to see a company that is 100% secure. I like to think every so often in terms of...

Karen Walsh:
I'm a big comics person. The Punisher show a few years ago on Netflix. Punisher looks at Captain America and says, "You don't like me because you're one bad day away from being me." He [inaudible 00:39:46] said it to Captain America. He said it to Daredevil. I think we're all one bad day away from being that next ransomware attack. So regulations need to focus on helping enable resilience and preparedness and giving a carrot as well as a stick, in my opinion.

Robert Fitzgerald:
I like what you're saying. Karen, I think, even a step further, as we think about regulations, we should be looking for ways to support victims instead of put as much of the burden on victims as there is, because we are only... I mean, we've all seen this. We've seen insider behaviors, malicious insider behaviors or behaviors where insider was through phishing attack, for example, tricked.

Robert Fitzgerald:
And so, what we need to think about is there is no silver bullet here. It's going to take a community, for us as a community, to behave and work together and to collaborate on best practices, new ideas, policies, and procedures, to reduce the amount of harm that a ransomware attack can have on an organization. As we do that, we'll continue to evolve and ransomware will either stop, not likely, or evolve or change. But the impact will be less.

Robert Fitzgerald:
I think as we work towards that, there's a lot of opportunity. Some of those ways, from a technical and process standpoint, we've covered here. And quite frankly, there's thousands of professionals out there to help organizations figure out how they can best implement the recommendations. It's not going to be one specific tool or policy or procedure. It's going to be a collection that meets the needs of the specific organization.

Kacy Zurkus:
Rob, Karen, this has been a really great conversation. Thank you both so much for being here with us today. Listeners, thank you for tuning in. A reminder that here at RSAC, we have a podcast twice a month, and I encourage you to subscribe on SoundCloud or your preferred podcast app, so you can be notified when new tracks are posted. If you're interested in being a guest on one of our podcasts, we'd love to have you. Visit rsaconference.com/becomeacontributor to learn more. Thank you all.

 


Participants
Karen Walsh

CEO and Founder, Allegro Solutions

Robert Fitzgerald

Founder and CEO, Arcas Risk Management

Analytics, Intelligence & Response

data security governance risk & compliance government regulations incident response ransomware


Share With Your Community