Florida’s Ransomware Law and What It Means for Government Entities
As of July 1, 2022, government entities – state agencies and local governments – in Florida are barred from making or complying with ransom payments in any capacity if hit by ransomware attacks. This is stipulated in a new set of amendments that were added to the State Cybersecurity Act. Other relevant additions to the Act include:
- The severity level of the cybersecurity incident must clearly be defined. Accordingly, they must report the incident to the state’s Cybersecurity Operations Center (CSOC), the Cybercrime Office of the Department of Law Enforcement, and the local sheriff within 12 hours of a ransomware attack and 48 hours for any other cyberattack.
- The report must include meticulous information about the incident, such as a factual summary, the data that was affected, details about the back-up, the ransom demanded, and more.
- Organizations must submit after-action reports to the Department of Law Enforcement following any kind of cybersecurity incident.
- CSOC must provide a consolidated incident report on a quarterly basis to the Florida Legislature and the Cybersecurity Advisory Council as well as inform them the severity level of cybersecurity incidents within 12 hours of receiving an incident report.
- All state agency and local government employees must be given cybersecurity training within 30 days of employment, and again, annually.
Why the State Cybersecurity Act was amended
The main reason why Florida outlawed government entities paying ransoms is because it doesn’t ensure the recovery of captured data. Research shows that on average, only 8% of organizations are able to fully recover stolen data. Cybercriminals often choose to sell or reveal valuable information despite receiving huge ransom payments. Not to mention the difficulty of tracking where the funds go and what malicious agendas they end up funding.
Moreover, the more organizations pay to cybercriminals, the more they are emboldened to conduct further attacks. The goal is to decrease the possibility of ransomware attacks by increasing cybervigilance, allocating a proper cybersecurity budget and department, adopting rigourous cybersecurity practices as well as a strong cyber incident response plan – which currently isn’t the case for a lot of local government organizations.
These amendments act as a patchwork or update to previous regulations, as well as encourage other states to consider enforcing ransomware legislation, with the eventual hope of making it a national law.
However, some cybersecurity experts raised concerns. While outlawing ransom payments was made with the intent of controlling ransomware attack fallout, their effectiveness is largely untested for now.
Additionally, the new law requires the restructuring of cyber insurance policies and may result in increased cyber insurance premiums for government entities. Furthermore, this could encourage cybercriminals to double-down on the severity of their threats and attacks, wreak enough havoc to create political pressure about reconsidering these laws, or even increase the frequency of attacks on entities that are not covered by them, i.e. the private sector.
All in all, only time will reveal how useful this new legislation is against ransomware attacks.
The 2019 ransomware incidents in the Florida cities of Riviera Beach and Lake City are prime examples of how heavily public entities are affected. In fact, over the last three years, government organizations were hit by 246 ransomware attacks with costs coming up to almost $53 billion – these numbers will only increase in the future.
The threat of ransomware is not going away anytime soon, especially for local and state agencies. They make a prime target since downtime can greatly disrupt operational capability. Furthermore, they contain hoards of sensitive and confidential information. With all these factors in mind, it is imperative that government entities have robust ransomware policies in place – and these policies can no longer include the option of making ransom payments.
An efficient ransomware policy is crucial to providing an extra layer of security to your organization.
A strong ransomware policy should include the following steps:
- Preparation is key: Protect your organization by taking precautions. This includes teaching your employees cyber awareness, installing strong security solutions like encryptions and firewalls, employing network segmentation on organizational servers, regularly patching up any network or device vulnerabilities, maintaining backups of important data on secure platforms, and ensuring strong and safe user policies for corporate accounts and devices.
- Validate the attack: There are a number of ways to verify whether your organization has been hit by a ransomware attack. Look out for locked or encrypted files and messages demanding money in exchange to get them back. Users may report corrupted files with odd file extensions, “professional” emails that seem fishy, the sudden modification of a large number of files, or unusually high amount of processes running on a server.
- Isolate and contain the attack perimeter: Once you have identified a ransomware attack, you must contain it. Find out through which application or network the malware gained access, and immediately disconnect any other devices from the internet to prevent it from spreading. Then, get rid of the malware and block any user access to ensure no further damage occurs to your network.
- Investigate and report: Conduct a thorough investigation of the attack and compile a detailed report. Work with a reliable cybersecurity firm like Gamma Defense to do so. Ensure that your report consists of all the requirements set by regulations and submit it to the appropriate authorities.
- Restore your data: It’s quite unlikely to receive access back to your stolen/encrypted data. However, this is where your back-ups play a vital role. You can use them to restore your servers and data to resume operations as usual. However, make sure to fix up any vulnerabilities before restoring your data to avoid secondary attacks.
- After-analysis: A post-incident analysis is quite necessary to determine what went wrong and how to prevent future attacks. Review the incident thoroughly, identify key mistakes, and replace them as required.