The federal government has been grappling with a holistic response to the massive uptick in destructive ransomware attacks that have bombarded the country in recent years. As part of that response, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a “Stop Ransomware” website, which is aimed at helping private and public entities test and improve their cybersecurity. Among other key features of this effort is a self-assessment tool allowing organizations to test their cybersecurity based on government and industry recommendations and standards. This is a potentially useful addition to any organization’s cyber preparedness toolkit. This may also become another benchmark against which the “reasonableness” of any company’s data security protections are measured when facing private claims or regulatory scrutiny after a ransomware attack.

The new Stop Ransomware website provides links to various resources with “recommendations based on operational insight from CISA and the [Multi-State Information Sharing & Analysis Center].” Central to these resources is the CISA September 2020 Ransomware Guide containing “Ransomware Prevention Best Practices” and a “Ransomware Response Checklist.” The guide’s “best practices” includes sections on, among other topics:

• creating backups of your data;
• creating a cyber incident response plan;
• testing and updating internet-facing devices;
• implementing a cybersecurity user awareness program on phishing attempts; and
• updating antivirus and anti-malware software.

In addition to this guide, the website compiles myriad other resources, including from the National Cyber Investigative Joint Task Force, the Federal Bureau of Investigation, and the National Institute of Standards and Technology.

To test whether your cybersecurity is up to par, the website provides a new “Cyber Security Evaluation Tool” that “guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.” It also features a “Ransomware Readiness Assessment” which “is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend against and recover from a ransomware incident.” After the assessment is complete, the tool provides a report summarizing the assessment’s results.

The resources on the CISA site and its new Cyber Security Evaluation Tool offer two potential benefits to any organization that decides to use them. First, they will potentially help any organization identify weaknesses in its cybersecurity posture and opportunities for improvement and hardening. A second potential benefit of these new resources and tools is that they may be added to the growing body of authorities that courts and regulators might look to when determining the reasonableness of any organization’s data security systems. Some state consumer privacy laws, including the California Consumer Privacy Act, contain a requirement that any covered entity’s cybersecurity procedures be “reasonable,” and a failure to implement reasonable security procedures can potentially expose an entity to liability. Even in the absence of statutory language requiring reasonableness, that is likely to be the standard by which courts and regulators judge any organization’s conduct when it falls victim to a ransomware attack. Complying with the Stop Ransomware guidance and using the new CISA evaluation tool may help any organization that is nonetheless hit with a ransomware attack tell a more persuasive story about the reasonable precautions it took.

Notably, this CISA guidance and the evaluation tool are both new and it remains to be seen whether they are effective in fighting the onslaught of ransomware attacks.