• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

Iran strikes 85 U.S. military sites in the Gulf, sparking a global selloff in stocks and a spike in the price of oil

2

Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it

3

Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI

1

Iran strikes 85 U.S. military sites in the Gulf, sparking a global selloff in stocks and a spike in the price of oil

2

Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it

3

Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI
Techransomware

Why making companies disclose ransomware payouts may be a good idea

By
Kevin T. Dugan
Kevin T. Dugan
Down Arrow Button Icon
By
Kevin T. Dugan
Kevin T. Dugan
Down Arrow Button Icon
July 22, 2021, 7:00 PM ET
Add Fortune on Google for similar content.

It costs just $10 to hold a company hostage. 

That figure, reported by cybersecurity startup Recorded Future, may be why that firm estimates there were 65,000 ransomware attacks worldwide in 2020. Anyone with an Internet connection, a Bitcoin wallet, and some spare change can hire hackers to deploy malicious software to freeze up a target company’s computer systems, lock them out of it, and demand a nearly untraceable payment of millions of dollars in order to get their information back. No technical knowledge, or even a gun, is needed.

The prevalence of these heists has led to a push to take them out of the shadows and require companies to publicly disclose when they’ve been targeted, or even paid the ransom. Lawmakers and federal agencies like the Securities and Exchange Commission are examining what kinds of reporting, if any, it should impose.

There’s a need for “real-time” disclosure when companies are hit with ransomware attacks, Sen. Angus King, (D-ME) said on CNN’s State of the Union last month. “The Colonial Pipeline, my understanding is, it wasn’t reported to the government for four or five days. I think they’d already paid the ransom.”

Updating disclosure laws may not be so easy, however. Each state has its own disclosure requirements, and while some require transparency when data is “inaccessible,” others are tailored more for attacks that steal data, said Anton L. Janik, Jr., a cybersecurity lawyer at Mitchell, Williams, Selig, Gates & Woodyard in Little Rock, Ark. 

While ramping up disclosures could backfire and end up exposing more weaknesses in companies and governments, transparency does have the benefit of informing consumers about how their data is being used, he said. 

“That choice about who owns, controls, and processes your data are important things to discuss,” Janik said. “There’s room for consumers to have knowledge and understanding and ability to gauge cybersecurity practices of the entities that they come into contact with in their daily life.”

Increased disclosure could help tamp down ransomware and create a better understanding of the problem’s scope, according to a recent report by the Institute for Security and Technology, a think tank with connections to the Obama administration and former U.S. military officials. As it is, states and the federal governments all have different, and sometimes overlapping, rules around disclosing cyber breaches. Equifax, for instance, took more than two months to disclose a hack that ultimately exposed more than 160 million people’s private data. In the end, many companies that pay off ransomware gangs never say so because of the bad publicity that comes with it.

“Updating breach disclosure laws to include a ransom payment disclosure requirement would help increase the understanding of the scope and scale of the crime, allow for better estimates of the societal impact of these payments, and enable better targeting of disruption activities,” the report said. 

More disclosure can also empower law enforcement to cut the flow of ill-gotten cryptocurrencies, the Institute for Security and Technology added. Authorities could issue “freeze letters” to cryptocurrency exchanges, which handle the ransom transactions, so they can stop ransom payments before they’re made, IST recommended. 

SEC regulators are looking at requiring the disclosure under its rules related to so-called ESG, or environmental, social, and governance. For the regulator, cybersecurity largely falls under “social”, said Jina Choi, a partner at law firm Morrison & Foerster, and former director of the Security and Exchange Commission’s San Francisco office.

“Under the federal securities laws, for public companies the legal standard regarding disclosure to its shareholders is materiality – and the SEC has set forth guidance regarding the costs, including reputational damage, that a company can incur if they are breached,” she said. 

Ransomware is one of the thorniest problems on the Internet today — one so pernicious and complex that Homeland Security Department officials have called it a “national threat.” President Joe Biden recently pushed Vladimir Putin to stop attackers — they tend to be situated in Russia or in the ex-Soviet Union — and offered a $10 million reward to anyone who can uncover the identities of these attacks.

The consequences of the problem came into sharp relief earlier this year following the attack of Colonial Pipeline, the company that transports about half of the East Coast’s oil. It paid 75 bitcoins, amounting to $5 million, in order to get its systems back online, but the damage was already done: Gas prices jumped, the airlines rerouted flights, and the federal government had to warn people not to hoard gas in plastic bags. 

The idea of requiring companies to disclose attacks does have its critics, however. Nick Merrill, a postdoctoral fellow at director of the Daylight Security Research Lab at the University of California at Berkeley’s Center for Long-Term Cybersecurity, said he was concerned that ramping up disclosure, without strengthening other security measures, may not be enough. 

“It’s tempting because it’s simple. And the real answers are much bigger and much broader than that,” Miller said. “I just worry that it’s a box checking exercise. And once it’s done, where would we be?”

One problem, he added, is that hackers could change their tactics so their attacks wouldn’t qualify as “ransomware”. He cited an attack on the Washington D.C. Metro Police that threatened to out its confidential informants, which he called “extortionware.” 

Another potential problem is rooted in ransomware’s ubiquity. Miller compared it to European data disclosure requirements on just about every web page — which users typically ignore. “These reporting requirements can go awry to such a degree that people just learn to ignore them,” he said, “and that would be worse than where we are now.”

But even informing consumers about some of a breach’s scope could better inform consumers. 

“I don’t think you need to disclose the dollar value of a hack, but you can disclose that there was a hack,” Janik said. “You could disclose the size of a hack — this is 600,000 patient records. I think those parameters are helpful to a customer in the marketplace to evaluate, ‘where do I feel comfortable?’”

 

Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.

About the Author
By Kevin T. Dugan
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

a man having chair still by the window in the office
EconomyLabor
Labor force participation falls to 61.5%, the lowest in 50 years outside COVID, and economists say it’s not just people giving up
By Catherina GioinoJuly 8, 2026
7 hours ago
Man in collared shirt and jacket
Big TechAmazon
Amazon’s $25 billion ‘surprise’ bond sale dangled extra yield to lure in buyers—and flashed a warning sign about the AI boom
By Amanda GerutJuly 8, 2026
9 hours ago
Bezos’ Blue Origin is raising outside capital for the first time to compete for NASA contracts as rival SpaceX’s stock falters
InvestingJeff Bezos
Bezos’ Blue Origin is raising outside capital for the first time to compete for NASA contracts as rival SpaceX’s stock falters
By Mia OsmonbekovJuly 8, 2026
10 hours ago
Cathie Wood just bought the SpaceX dip again—and dumped Alibaba to do it
InvestingCathie Wood
Cathie Wood just bought the SpaceX dip again—and dumped Alibaba to do it
By Marco Quiroz-GutierrezJuly 8, 2026
10 hours ago
How Qualcomm’s CIO is placing big bets on AI to support the chip company’s diversification push
NewslettersCIO Intelligence
How Qualcomm’s CIO is placing big bets on AI to support the chip company’s diversification push
By John KellJuly 8, 2026
10 hours ago
Jonathan Bensamoun (right) sits on a stool next to his German Shepherd
InnovationPet Tech
Exclusive: Fi is bringing Starlink satellite technology to dog collars
By Lily Mae LazarusJuly 8, 2026
11 hours ago

Most Popular

Iran strikes 85 U.S. military sites in the Gulf, sparking a global selloff in stocks and a spike in the price of oil
Newsletters
Iran strikes 85 U.S. military sites in the Gulf, sparking a global selloff in stocks and a spike in the price of oil
By Jim EdwardsJuly 8, 2026
18 hours ago
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
Success
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
By Preston ForeJuly 6, 2026
3 days ago
Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI
AI
Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI
By Marco Quiroz-GutierrezJuly 5, 2026
4 days ago
Current price of oil as of July 8, 2026
Personal Finance
Current price of oil as of July 8, 2026
By Joseph HostetlerJuly 8, 2026
16 hours ago
Billionaires John and Laura Arnold have already donated nearly half their wealth. Now they're funding a hunt for the health risks of sports betting
Success
Billionaires John and Laura Arnold have already donated nearly half their wealth. Now they're funding a hunt for the health risks of sports betting
By Sydney LakeJuly 8, 2026
21 hours ago
Investment firm's cofounder sues after being fired for neglecting the in-person work mandate he signed, saying it applies to employees not owners
Law
Investment firm's cofounder sues after being fired for neglecting the in-person work mandate he signed, saying it applies to employees not owners
By Jason MaJuly 5, 2026
3 days ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.