Wary of alarming investors, companies victimized by ransomware attacks often tell the SEC that “malware” or a “security incident” disrupted their operations.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
On Aug. 21, Lumber Liquidators’ corporate and store-level computer systems began to shut down. Without them, the flooring company’s retail employees couldn’t check product prices or inventories. They had to send in orders to distribution centers by phone or from their personal email accounts and write down customers’ credit card information on paper. Each transaction took up to half an hour. Amid the chaos, sales took a hit. So did morale, since sales factored into employee bonuses.
“You couldn’t really sell or haggle anything,” said Trevor Sinner, then a store manager in Los Angeles. “You couldn’t see inventory, you couldn’t see cost, you couldn’t see anything.”
Once most of the computer systems were back online six days later, the Virginia-based retailer reported what it called a “network security incident” showing “symptoms of malware” to the Securities and Exchange Commission. But Sinner got a different explanation from a divisional vice president, who confided that the real culprit was ransomware — malicious software that freezes computer files and demands payment to decrypt them.
“We knew it was ransomware a long time ago,” Sinner said. “I don’t think the company disclosed it was ransomware to anybody, even now.”
Each year, millions of ransomware attacks paralyze computer systems of businesses, medical offices, government agencies and individuals. But they pose a particular dilemma for publicly traded companies, which are regulated by the SEC. Because attacks cost money, affect operations and expose cybersecurity vulnerabilities, they sometimes meet the definition used by the SEC of a “material” event — one that a “reasonable person” would consider important to an investment decision. Material events must be reported in public filings, and failure to do so could spur SEC action or a shareholder lawsuit.
Yet some companies worry that acknowledging a ransomware attack could land them on the front page, alarm investors and drive down their share price. As a result, although many companies cite ransomware in filings as a risk, they often don’t report attacks or describe them in vague terms, according to experts in securities law and cybersecurity.
Weak or no disclosure to the SEC is one of several omissions that hamper federal monitoring of ransomware assaults on U.S. businesses. Companies seldom choose to alert the FBI, fearing that the attacks would become public, that agents might investigate unrelated problems or that the bureau would discourage them from paying ransoms. And at least two data recovery firms that some victimized businesses hire to pay the hackers have not registered with a bureau of the U.S. Department of the Treasury that tracks financial transactions involving suspected criminals.
These gaps become more glaring as the ransomware danger grows. In an October announcement, the FBI warned that attacks “are becoming more targeted, sophisticated, and costly,” and that losses from them “have increased significantly.” Some recent ransomware attacks have resulted in the theft of victims’ sensitive data and threats to sell or publish it — a breach of security that could undermine one of the most common corporate rationales for lack of disclosure. John Reed Stark, a former SEC enforcement attorney, said companies have leaned on the notion that ransomware attacks aren’t material because there’s little evidence that personally identifiable information — the release of which may trigger reporting requirements in various states — is stolen.
“The general consensus is that data was not exfiltrated, so we don’t have to say anything,” said Stark, now a consultant for businesses dealing with ransomware and other cyber issues. He added later, “Ransomware attacks have now evolved into data breaches, and it is terrifying.”
Even when companies do allude to an attack in SEC filings, they typically resort to euphemisms rather than the very word that best describes what paralyzed their business and caused millions of dollars in losses. Just as wizards in the Harry Potter books speak of evil Lord Voldemort as “He Who Must Not Be Named,” so companies are loath to refer to dreaded ransomware.
“They specifically avoid saying it,” said Bill Siegel, chief executive of Coveware, a Connecticut-based firm that analyzes ransomware victims’ options and often pays the ransom on their behalf. “They generally don’t use the word ‘ransomware’ for obvious reasons. It’s an ugly term. It scares people.” By using more generic terms, “You can put it out there, and you’ve officially said something, but you’ve also said nothing that can get you in any sort of trouble any which way.”
Siegel said Coveware works with as many as six publicly traded companies a month, which he declined to identify. “Any company that uses a phrase like ‘malware that encrypted’ or ‘malware that caused system disruption or downtime’ is likely referring to ransomware. Because malware is everywhere, it’s constant, and you don’t stop doing business because of malware,” he said. “I think you can feel very, very confident that ... anybody that phrases it as a malware or IT security incident that causes a disruption is likely referring to ransomware.”
Less than half of Siegel’s publicly traded clients pay a ransom, while the rest usually restore data from backups, he said. “Some of these [situations] are pretty messy and sometimes take weeks or longer to fully recover from,” he said. “We’ve had public companies that have literally rebuilt every computer from scratch.”
In a November filing, Lumber Liquidators said that its computer freeze was “caused by malware,” and that it “implemented our business continuity plan and undertook actions to recover the affected systems.” It estimated a $6 million to $8 million revenue loss. In an accompanying earnings call, the company’s chief executive said that a “network attack” had “encrypted certain IT systems.” Encrypted files are characteristic of ransomware.
Asked whether the company was attacked by ransomware, and if so why the company hadn’t used the term, Lumber Liquidators spokesman Nathan Bowie didn't respond.
A ProPublica review of SEC filings found that companies typically attribute computer mishaps to malware. For example, Illinois-based trucking company Roadrunner Transportation Systems blamed a “malware attack” in September for quarantined servers and invoice delays that reduced revenue by more than $7 million. Another Illinois company, Ingredion, a maker of sweeteners and starches, said “suspicious activity” and a “malware incident” took servers offline in October, with an expected delay in transactions with customers and suppliers. Indiana-based Patrick Industries, which makes components for recreational vehicles, spent $1.5 million to repair damage from a “highly-sophisticated third-party malware cyberattack” this year that disrupted operations for two business days. Spokeswomen for the companies declined to respond to questions.
Companies sometimes cite ransomware in filings as a potential risk. Last February, Massachusetts-based beverage company Keurig Dr Pepper warned in an SEC filing that a ransomware attack could breach its cybersecurity. In that same filing, it said that an “organized malware attack” had disrupted its coffee systems division, and that it had “taken actions to address this attack,” but offered no other details. A company spokeswoman declined to comment.
ProPublica could not determine if Roadrunner, Ingredion, Patrick Industries or Keurig Dr Pepper were hit by ransomware.
Steven Chabinsky, a Washington, D.C., attorney who focuses on privacy and cybersecurity matters, said that such disclosures satisfy the materiality rule. There is “no reason to think the SEC would look for magic words like ransomware as long as the incident was described accurately,” he said.
SEC spokesman Christopher Carofine declined to comment on companies’ avoidance in filings of the word “ransomware.” However, in cyber disclosure guidance last year, the SEC appealed for more candor. Companies “should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors,” it said.
In a speech last year at the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson expressed concern that companies aren’t reporting cyberattacks, though he didn’t single out ransomware. The commission “relies heavily on the judgments of corporate counsel to make sure investors get the information they need” on cyber incidents, he said. “I worry that these judgments have, too often, erred on the side of nondisclosure, leaving investors in the dark and putting companies at risk.”
Without knowing about the existence or extent of ransomware attacks and any subsequent payments, investors cannot make informed decisions about stock ownership or proposals that could boost a company’s cybersecurity, Rhode Island Congressman Jim Langevin said in an interview. Companies need to “err on the side of reporting,” and the SEC must be “more proactive” in enforcing regulations, he said.
“Investors certainly have a right to know if a ransomware attack happened, how it was handled and whether or not the ransom was actually paid,” said Langevin, a Democrat who is co-chair of the Congressional Cybersecurity Caucus and has called on the SEC to require companies to disclose their cybersecurity practices.
“We don’t know what we don’t know,” he continued. “When breaches have occurred, if companies are silent about it, investors don’t know, policyholders don’t know, regulators don’t know. It sends the message that everything is fine here, there’s nothing to worry about, and they just go on with business as usual. That’s wrong.”
Internal debates within corporations over whether to disclose a ransomware attack typically involve discussions about two groups that might challenge a material omission in the filings, Stark said. “You worry about the Division of Enforcement at the SEC, and you worry about the plaintiff’s bar,” he said.
Failing to disclose material events to investors and the SEC can spur backlash from both directions. After Yahoo failed to promptly report a data breach (not ransomware) affecting hundreds of millions of accounts, it settled a shareholder lawsuit in 2018 for $80 million and SEC charges for an additional $35 million. Yahoo, now called Altaba, denied the shareholder allegations and neither admitted nor denied the SEC charges.
Whether a ransomware attack that doesn’t expose troves of personal data must be deemed material and reported to the SEC is a closer call. While the ransom demand generally isn’t high enough to be considered material by itself, companies often incur other costs related to the attack — from hiring outside consultants and replacing damaged equipment to paying higher cyber insurance premiums and coping with lost revenues from interrupted operations. There are qualitative considerations as well, from customer dissatisfaction to loss of corporate data. Corporations should weigh “the importance of any compromised information and of the impact of the incident on the company’s operations,” the SEC has said.
The test for materiality is subjective, and companies “absolutely take advantage of the leeway,” said consultant Stephanie Tsacoumis, who teaches a class called Disclosure Under the Federal Securities Laws at Georgetown University’s law school. “I could argue from an investor’s perspective that a ransomware event is significant because it demonstrates that there are flaws in the company’s cybersecurity protections and that’s a threat to their business, and it could be a huge failure of internal controls,” she said. “And therefore it qualitatively is material enough to be disclosed.”
Corporations sometimes warn in filings that they may be affected by ransomware in the future. Tsacoumis said companies may use this generic “risk factor” disclaimer to justify not reporting a specific attack, taking the position that the market already has been alerted about the potential for it, she said. Reporting only a hypothetical risk in the face of real harm, however, can get companies in trouble. In July, Facebook agreed to pay $100 million to settle SEC charges that it disclosed only a hypothetical risk of misuse of user data when actual misuse, not involving ransomware, had already occurred. Facebook neither admitted nor denied the allegations.
From corporate IT employees and senior management to outside auditors, “everybody’s interest is to downplay” an attack, Tsacoumis said. “It’s self-interest. My personal annual evaluation, my bonus, my salary, my promotion. It’s how management looks to the board, and then it’s how the company looks to the public. And they all have an interest in maintaining the stock price. It goes from the individual level to the more macro level and impact on the market.”
John Olson, an attorney who has represented companies before the SEC, said he would advise disclosure when ransomware affects vital business information, finances or customers. “The financial impact could be significant and is certainly embarrassing and does raise questions about how good their cybersecurity is,” he said.
When Beth George was an attorney in the U.S. Justice Department, she worked with the FBI to persuade public companies to cooperate with law enforcement investigations into cyberattacks. Now in private practice in California, she’s one of several former DOJ and FBI officials who don’t recommend to clients that they report ransomware attacks to the bureau.
“I do think the FBI truly believes that they can be helpful to companies when these ransomware attacks happen, but I don’t know in actuality how true that is,” she said. The bureau “lacks the resources to be the cybersecurity responder for every company, and I don’t think they understand their resource constraints. ... And as someone who is a former government official, it makes me sad. It’s completely opposite of what we thought our mission was to do in the government, which is to help companies. But the FBI spends a lot of time saying, come to us and we’ll help you, and no time saying, ‘How can we help you?’”
Reporting a crime to the FBI is voluntary. Since 2016, more than 4,000 ransomware attacks have taken place daily, according to statistics posted by the U.S. Department of Homeland Security. Nevertheless, only 1,493 were reported to the FBI in 2018. The bureau said in October that it does not advocate paying ransoms since doing so encourages continued criminal activity, but it added that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” Regardless of whether victims decided to pay ransoms, the FBI urged them to report ransomware incidents. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”
Fear that an attack will become public knowledge is one of the biggest deterrents to reporting, said Thomas DiBiagio, a former U.S. attorney in Maryland, who now handles internal investigations for corporations. Other corporate concerns include the FBI’s historical opposition to paying ransoms and its reluctance to share intelligence with victims about who might be behind the attack — information that is often considered classified. Companies can turn instead to private cybersecurity firms, largely staffed by former FBI agents, which have no compunctions about paying ransoms, and typically share findings with clients, George said. Working with a consultant rather than the government may also reduce the chance that the news will leak.
Moreover, many attacks originate in countries that do not cooperate with U.S. law enforcement. Last year, the DOJ delivered its first indictment of alleged cyberattackers for deploying a ransomware scheme. The two Iranian hackers were wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018. This month, the DOJ indicted two Russians in connection with deploying financial malware that cost victims tens of millions of dollars. Later versions of the malware were designed to facilitate ransomware installation, the DOJ said. Neither the Iranians nor the Russians have been arrested.
Chabinsky, a former deputy assistant director of the FBI’s cyber division, said some businesses report ransomware attacks to the bureau because their cyber insurance policies require them to or because they believe cooperating with law enforcement protects their reputation. But many don’t, feeling the FBI can’t offer much assistance and could create a distraction as “one more party asking you for information during a time of crisis management,” he said. Chabinsky has never advised a client hit by ransomware to contact the bureau, he said.
DiBiagio cited another downside of dealing with the FBI. “Not that I’m saying corporate America is dishonest, but the last thing you want is a bunch of FBI agents crawling around your company,” he said. “There is no benefit whatsoever of you reporting. There’s no incentive. And there’s clearly identifiable cost. It’s the cost, the disruption, the risk they talk to some employee and now you’re under investigation. There’s no upside.”
In an emailed response to questions, the FBI said it “protects the confidentiality of sensitive information it receives.” It said it “works closely” with victimized corporations to protect their interests and make sure they “have all the information needed to reconstitute systems, patch vulnerabilities, and prevent additional attacks.”
“Over the course of many responses to ransomware incidents, the FBI has refined its response protocols to ensure that it is able to conduct investigative activity in the least intrusive way possible,” the bureau said. “When a victim decides to voluntarily work with the FBI, we strive to do only the work required to thoroughly investigate the incident and to do so quickly and with minimal impact on the operations of the company we are working with.”
Langevin, the Rhode Island congressman, said the government needs stronger reporting requirements on cyberattacks so officials can compile more accurate incident data. That data could improve cyberdefenses by helping policymakers and companies decide where to focus their resources. One possibility, he said, is requiring insurers to report incidents to the FBI as they process cyber policy claims.
“All too often these ransomware attacks are being swept under the rug, but we don’t know how broad the problem is until we have real data to look at,” he said.
Theoretically, the federal government has another way of tracking ransomware attacks. Corporations hit by ransomware sometimes hire private firms to pay the cryptocurrency ransom on their behalf, taking a fee for the service. These companies should qualify as “money transmitters” regulated by the Financial Crimes Enforcement Network, or FinCEN, a bureau of the U.S. Treasury Department, said Matt Klecka, a former trial attorney in the DOJ’s Bank Integrity Unit, which works with FinCEN. As such, they should file “Suspicious Activity Reports” to FinCEN on ransomware payments since a criminal is known to receive the money, Klecka said.
Once they register, “they’re known quantities,” Klecka said. “They’re on FinCEN’s radar. Then FinCEN will be looking” at the suspicious activity reports.
Sentinel Crypto Holdings, a Florida firm that pays ransoms on behalf of victims, has registered with FinCEN, and its founder told ProPublica that it has regularly submitted suspicious activity reports. Florida-based MonsterCloud and New York-based Proven Data are not registered. ProPublica reported in May that both firms purported to use their own technology to disable ransomware but often just paid the ransom. Through a spokesman, MonsterCloud CEO Zohar Pinhasi declined to comment.
FinCEN spokesman Stephen Hudak declined comment on whether these companies should be considered money transmitters. If they are registered, he said, they should report ransomware transactions as suspicious activities. “Businesses should contact FinCEN if they are unsure of their registration requirements,” he said.
Proven Data did just that in 2016, when it asked FinCEN if its work facilitating ransom payments on behalf of clients required it to register with the agency as a money transmitter, according to correspondence provided by the company. Proven Data argued that registration was not required because its core business was "a suite of data recovery services," and that it only paid ransoms when no other solution was available. Proven Data also assured FinCEN that, “in all cases, the company encourages the victim to report the incident to the FBI.” FinCEN agreed with Proven Data’s assessment.
Middlemen transacting ransoms is “troubling” and “unseemly,” Langevin said. “This is an area where law enforcement should be looking because it does facilitate the ongoing practice. These firms need to be looked at and regulated,” he said.
On Columbus Day weekend, ransomware struck Connecticut-based Pitney Bowes. Its clients — which include most Fortune 500 companies — realized something was wrong when they had trouble using the company’s postage meters and some of its e-commerce shipping services. As the Pitney Bowes technical team and outside consultants scrambled to restore operations, chief communications officer Bill Hughes spent the holiday weekend combing through SEC filings to see how other publicly traded companies disclosed ransomware attacks. He didn’t find much.
“I knew there were way more incidences than what was being reflected in the news and in SEC filings,” said Hughes, adding, “In the two or three examples that I found on Saturday or Sunday morning when I researched, it was always ‘malware.’ It was never ‘ransomware.’”
Following precedent, Pitney Bowes first told investors in an Oct. 15 filing that it had been “affected by a malware attack.” But company executives soon decided to be more forthcoming. In an Oct. 17 webinar, the company’s chief data protection officer referred to the attack as ransomware. Posted updates cited the “Ryuk virus.” Ryuk is a notorious ransomware strain that hackers use to encrypt files and command six- or seven-figure ransoms. Pitney Bowes said in a November filing that the “ransomware attack” could reduce annual revenue by 1⁄2%.
A few companies besides Pitney Bowes have dared to invoke the R word. California-based Fluidigm, a maker of biotechnology tools, said in an SEC filing that it had “experienced a ransomware attack” in March that encrypted some systems “containing critical business data.” Agnes Lee, who handles investor relations for Fluidigm, said the company tried “to be accurate and transparent to the extent that we can be.”
Maryland-based media company Urban One said in an earnings call this year that it was “hit by a ransomware attack” costing more than $1 million in recovery expenses and lost revenue. The company’s general counsel, Kris Simpson, told ProPublica that the company was penetrated by the Ryuk strain and did not pay the ransom.
“It really is going on every day, and I think part of the thought process is that everyone is getting hit so it’s kind of ordinary course,” Simpson said. “But I think that we tend to be conservative in our disclosure, so we tend to over-disclose. We just think it’s the right thing to do.”
This article was originally published in ProPublica. It has been republished under the Creative Commons license.