Companies are often compelled to report security incidents such as data breaches to regulators. Companies in the UK, for example, will be legally obligated under GDPR to inform the Information Commissioner’s Office (ICO) if they suffer a breach involving personal information of customers or employees. Similar obligations exist under the likes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U.S. or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
However, no such compulsion exists when it comes to reporting cybercrime to law enforcement, leading to agencies in both the UK and the U.S. warning of a massive gap estimated to be in the millions between the number of actual incidents and reported cyber crimes. Those unreported incidents make it harder to justify allocating resources to cybercrime units, which in turn limits agencies’ abilities to take down cybercriminals.
Why don’t businesses report cybercrimes, and are the reasons behind their reluctance justified?
Law enforcement agencies worldwide are rarely ever sure how many cybercrimes are being committed. In the UK, the gap between the Office of National Statistics’ annual crime survey and the number of crimes reported to Action Fraud, the UK’s national fraud and cybercrime reporting center, has been in the millions over recent years. A 2016 report by Barclays and the Institute of Directors found only 28% of cyberattacks against businesses in the UK were reported to the police.
In the U.S., the FBI’s Internal Crime Complaint Center (IC3) reveals that just over 350,000 cybercrimes were reported to it in 2018, yet estimates only 15% of victims report their crimes to law enforcement.
“If you think about a physical crime, the first people you call is the police,” Ian Dyson, commissioner of the City of London Police, said during the Cyber Trends 2019 event at London’s Mansion House in May. “Does that happen in the world of cyber? Are we the first port of call, or the last resort?”
A main reason behind the disparity is because many organizations are faced with the simple question of “what’s the point?” Identifying threat actors, especially when attacks come from abroad, is notoriously difficult. Law enforcement will be unlikely to help restore operations or prevent your stolen data switching hands. Though the FBI’s Recovery Asset Team (RAT) claims a high recovery rate of assets, recovery of money can be difficult unless acted quickly upon.
“The interest that a company has when a data breach occurs is to remedy the situation for itself, shore up any internal deficiencies that it has, ensure that this doesn’t happen again, and to fulfill its legal obligations in terms of notifying affected parties and regulators,” says C. Andrew Konia, data security partner at law firm McGuireWoods.
“The FBI’s interest is to identify and track down and prosecute the perpetrator and bring that perpetrator to justice,” says Konia. “I think companies often may feel that it’d be great to get the guy or girl that perpetrated this, but the crime is done. These hackers are hard to find, and you’ve got enough to deal with in a data breach without getting law enforcement involved to try to find somebody that is never going to be found. There’s no legal requirement to report that and it may be viewed as a time drain.”
Difficulty in attribution and a general lack of prosecution can also cause an apathy regarding reporting. According to the National Crime Agency (NCA), there is an average of one arrest per day relating to cybercrime in the UK, the majority of which are young people launching low-level attacks rather than the sophisticated groups behind serious or large-scale campaigns. Also, the fact the police may find a one-off incident involving a small amount of money or information not worth their time means companies may not see any point in reporting the incident.
“Companies may be reluctant to report such cybercrimes because of the time and expense that this might require, and the perception that it is not likely to result in recovery to the business,” says Scott Pink, special counsel at O’Melveny & Myers. “The primary reason would be that the incident does not justify the time and expense of getting law enforcement involved and is better handled internally.”
In fact, beyond doing nothing, some companies may fear that getting law enforcement involved may disrupt business further as they look to investigate incidents. “There’s this thought that the FBI or the Secret Service may descend upon these companies and try to take over that investigation,” says Konia. “That is, according to law enforcement, not true. These law enforcement agencies do not have any interest in taking over your investigation. They have an interest in finding the perpetrator.”
“In reality, those two may conflict, especially if this is a large data breach with significant consequences for the general population, and a company may find itself dealing with a lot of requests from the FBI when all it’s trying to do is focus on remediating the incident internally and taking care of its legal obligations externally,” says Konia.
During his presentation at the Cyber Security and Cloud Expo last month, Ben Russell, head of cyber threat response at the UK’s NCA, acknowledged that some companies worry that evidence gathering may impact business, but said that the police “do not put up police tape or put police cars outside of companies that suffer cyberattacks,” adding that investigations rarely affect business operations.
If incidents involve insiders, says Steven Richards, partner in the Dispute Resolution group for UK legal firm Foot Anstey, companies might see more benefit in not reporting it. “If the objective is getting money or data back, then the answer is that there isn’t much benefit [in reporting to law enforcement],” he says.
As priorities in such situations will be on recovering whatever money or information was stolen over sending the perpetrator to prison, companies may wish to keep it out of criminal courts and keep proceedings within civil courts. Companies can have civil and criminal claims running in parallel, but courts will usually give precedence to the criminal claims and criminal proceedings will have to run their course first before an organization can start trying to reclaim what was lost.
“If you want to get your money or assets back, it’s much better to take control and do it through the civil courts,” Richards says. “If you’re still minded to shop them to the police afterwards or you still want justice, you can think about that later.”
Another reason companies don’t report is the worry that reporting an incident will lead to it becoming public knowledge. “Organizations are understandably worried about reputation, but that is a misinformed calculation,” the NCA’s Russell said during his presentation. “Public disclosure would only happen at court long after an attack has been mitigated.”
City of London Commissioner Dyson said that although he understands that reputations can be at stake as a result of such incidents, he “challenges anyone to show me where the police has breached confidentiality. Reporting is not a risk.”
Given that breaches often hit the headlines regardless of whether a company has acknowledged there’s been an incident, reporting to law enforcement is the least likely avenue for such news to be released. Realistically, if a breach ever is discussed in public by law enforcement – for example in court if the perpetrators are caught and charged – this will be months, if not years down the line and long dealt with by the business. As the share prices of the likes of Maersk and Norsk Hydro proved, a well-managed public response to a breach doesn’t have to adversely negatively affect a company once operations are restored.
Companies that have a requirement to report incidents to regulators may worry that law enforcement will inform on a company if they have failed (or delayed) to do that. However, the UK’s National Cyber Security Centre has promised that is will not share information reported to with the ICO without first seeking the consent of the victim organization, while the NCA has made similar assurances. Likewise, in the U.S., FBI Director Christopher Wray last year promised that his agency will “treat victim companies as victims” and sharing information provided by companies to other agencies was not its responsibility.
“I think that is a hang-up that a lot of people have,” says Konia, “that notifying law enforcement somehow makes it public or somehow the FBI would share that information with regulators, but in this case these companies are victims, and the FBI has promised to treat them as such.”
During incidents such as ransomware, some companies may go against the advice of law enforcement and pay the ransom. A survey by AppRiver suggests over half of small- to medium-sized businesses would be willing to pay in the event of a ransomware attack, while SentinalOne research from 2017 found that only 54% of companies that had suffered a ransomware attack in the previous 12 months actually reported the incident to law enforcement. While a company may be on shaky moral ground around enabling criminals by giving them money, it would be unlikely to face punishment for paying a ransom and then reporting it to law enforcement.
While reporting may not help remediate the individual incident a company has suffered, there may be benefits in the longer term. As the recent takedown of the GozNym criminal network showed, law enforcement can work with foreign counterparts to stop organized cybercrime gangs, which can help reduce the number of attacks your business faces.
Konia says that the likes of the FBI are large federal agencies with lot of resources and a lot of experience in this field, and can be useful to have onside. “It may make a company’s investigation easier by having these experts at the ready. I know that when we have had clients contact law enforcement, and the FBI in particular, they have given some very interesting insights, assistance and knowledge.”
“The FBI can be a resource, and I think they want to be viewed as a resource,” Konia adds. “They can do other things. They can compel the disclosure of data for an internet service provider. They can work with foreign counterparts. They may be able to secure reporting extensions, in some cases.”
Companies reporting to law enforcement can help provide information toward intelligence sharing efforts, such as the FBI’s Infraguard or the NCSC’s CiSP program. Given that many victim companies will be one of a number of victims, all of which will be collecting different amounts and types of data relating to that attack, one company’s specific data breach might have clues related other data breaches that law enforcement could use in their investigations. If an organization discovers evidence of an ongoing business email compromise attack, for example, informing law enforcement may help shut that down before too much damage is done.
At the Mansion House event, Commander Karen Baxter, national coordinator for economic crime at the City of London Police, urged businesses to report crimes to aid wider investigations. “You might have the missing part of the jigsaw when it comes to intelligence,” she said.
A less direct benefit is that it can help with incident recovery on the insurance and compliance side. “When you’re reporting these breaches to regulators,” says Konia, “it’s a good story to tell: ‘Look, we did everything that we could here, we properly investigated it, remediated it, and reported it, and we also thought that law enforcement might be able to help us and so we reported to law enforcement as well.’”
Foot Anstey’s Richards adds that reporting is both helpful and sometimes necessary when it comes to insurance, as insurers will want to know there has been a cybercrime and ask for a crime reference number when a claim is submitted.
While both Konia and Richards are reluctant to say that they would always advise firms to contact the police or other agencies, they both acknowledge it can be helpful. “I will say that generally speaking, I am pro notification; I think it can help the client,” says Konia. “You never know when a lead or an incident that that may seem meaningless, or a cold case or cold trail may actually be useful to them.”
“I think there’s a difference between saying ‘should we report it,’ as opposed to ‘are we actually going to get a real benefit from reporting it to the police.’ Those are the two different questions,” says Richards. “If it’s a private fraud in the sense that you know who the fraudster is, then generally I don’t think that are they are prime cases to go to the police. I think where you’ve got an unknown cybercrime or it’s a large scale complex international fraud, then invariably, you should and could get the police involved.”
O’Melveny & Myers’s Pink says the decision to report has to consider the nature of the incident, the scope of the harm or potential harm, whether the incident is significant enough that law enforcement would actually pursue it, and how getting law enforcement involved would impact the business in terms of costs and resources it must dedicate to the law enforcement investigation and the benefit to the business of a successful outcome.
