Is Your Board Prepared for the Growing Risk of Ransomware Attacks?

Ten percent of data breaches today involve ransomware and the average cost of a ransomware attack is $1.85 million. Ransomware is not new, but it is a growing threat as bad actors have found it to be a successful business model. In fact, the US Department of Justice is now giving ransomware attack investigations the same priority as terrorism.

Ransomware is a type of malware that targets both human error and technology vulnerabilities within a company. Once a system is infected, the malware encrypts the victim’s data (or steals it) and holds it for ransom. The perpetrators promise that, once the ransom is paid, they will return the data to the organization. Ransomware methods are getting more sophisticated all the time.

I’ve written in the past about how cyber risk oversight is a board-level issue, and how directors must uphold their fiduciary duties through proper cyber risk management. The cybersecurity issue is like any other critical area of business risk that needs to be identified, calibrated, and managed.

While it is true that most boards are starting to better understand cyber risk (in fact, 71% regard cyber risk as significant, according to EY), sometimes these concepts can be a bit abstract. According to EY, “[o]nly 48% of respondents say that their board and executive management team have the understanding they need to fully evaluate cyber risk and the measures it is taking to defend itself. Similarly, 42% complain that their boards do not fully understand the value of the cybersecurity team and its needs.”

As such, a board may not know what the right steps are given the rapidly increasing sophistication of ransomware attacks. That is why boards are increasingly speaking directly with their companies’ CISOs and some corporate boards today are even seeking directors with direct cyber expertise.

There is no shortage of published guidelines that boards can follow to implement cybersecurity best practices (e.g., this one from Skadden and this one from Harvard Business Review). And certainly boards should be familiar with the Securities and Exchange Commission’s guidance on board risk oversight and procedures related to cybersecurity and its cybersecurity and resiliency observations.

We can also turn to lessons learned from high-profile lawsuits, such as in Marchand v. Barnhill aka the “Bluebell ice cream” case. In that case, the court outlined the importance of boards having a system in place to bring threats to the board’s attention and having procedures to respond to those threats.

As ransomware becomes a growing business threat, here are some practical ways boards can approach the issue so to that they can be prepared to address this risk.

What Are Your Protocols to Address the Ransomware Threat?

Having strong protocols in place to address ransomware attacks is your first line of defense against this growing business risk. Here are some key considerations:

• Have routine discussions about cyber threats that are anything but routine. Make sure you understand what’s new in the world of cyberattacks, including how ransomware is evolving. Ask questions about the company's security posture. This article from BDO offers some excellent food for thought. Tabletop exercises are key here. It's not enough to have a plan—you have to develop the muscle memory for how to execute the plan.
• Make sure you implement best practices in the areas of email security, remote connectivity, and perimeter protection. At this point, things like multi-factor authentication, identity access and privileged access are table stakes. This article by BDO describes the importance of having a multilayered approach to prevention, including “documenting policies and operational procedures, implementing data encryption, performing data destruction, monitoring network activity and implementing network segmentation.” For more best practices, see the NIST’s Cybersecurity Framework.
• Make sure detection protocols are in place. According to one report, 68% of ransomware attacks go unnoticed, and 91% of cyber attacks do not generate an alert. In the event of a cyber attack, the speed with which you are able to detect the attack can be key to mitigating the outcomes. As this article from IT Governance points out, “Data breaches are almost always contained sooner if they’re detected by an organization’s own staff.” Penetration testing is one way to do this.
• Address the weakest link: human beings. According to Verizon’s 2021 Data Breach Investigations Report, 85% of data breaches involved the human element. Here you want to implement staff training on how to avoid common cyber scams and threats, including conducting fake phishing attacks to teach employees how to avoid them. You may even consider consequences for employees who repeatedly fail these tests.
• Do you have the right cyber coverage? Cyber policies offer tremendous resources and coverage for cyber incidents including ransomware. You can learn more about what cyber insurance covers in: Cyber 101: Understanding the Basics of Cyber Liability Coverage. In many cases, insurers will pay the ransom on your behalf.

What is Your Plan When Attacked?

As the saying goes, it’s not if your company will be the victim of a cyber attack, but when. Here are some important considerations when planning to mitigate the risk of ransomware attacks:

• Have you set up your systems in a way so that your business can continue to operate after a ransomware attack? This involves ensuring your data and networks can be restored from backups. Increasingly, however, bad actors are finding ways around this, including infiltrating a network and searching for backups right away. If they can encrypt backups, you may have to pay the ransom.
• Do you have a detailed incident response plan? This includes knowing who owns the plan within the company and choosing your key response vendors before a cyber event occurs. It is especially important to establish ahead of time your trusted outside counsel and your investor relations team or consultant.
• How will you handle communications and disclosures during and after the cyber incident? This is one area where you will want to lean on the guidance of your outside counsel. There is tremendous pressure to say something—anything—during a cyber incident. However, speaking too quickly or not being prepared can lead to ill-advised and incomplete disclosures. Think through various scenarios and consider ahead of time what will be your cadence of communications, what you will say, and who will say it. You will also need to make appropriate disclosures to agencies like the SEC. For more on this, see my colleague Dan Burke’s article on nailing your communications during a cyber event. Remember, too, that the SEC is coming down hard on companies that have executed their communication plans poorly. See recent SEC enforcement actions against First American Title Company and Pearson plc.
• In what circumstances would you pay the ransom? There are several considerations when deciding whether to pay a ransom, including if you are able to restore from backups as outlined earlier as well as others highlighted in a recent article by Dan Burke on three things to consider before paying a ransom. You will also want to be sure the person or entity is not on a sanctions list managed by the US Department of the Treasury’s Office of Foreign Assets Control. This list prohibits transactions with certain people or entities as a matter of national security. The agency “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
• Will you contact a government agency? Government agencies have been encouraging companies to contact them if they suffer from a cyber breach or a ransomware attack for a while. While many originally met this outreach with skepticism, companies are increasingly coordinating with relevant government agencies during a ransomware attack. You will want to nail down the right contacts within the relevant agencies ahead of time, or at least have identified these contacts with your outside counsel. At the time of an incident, you will, of course, want to consult with your outside counsel before reaching out to a government agency. For more, you can read: Should We Call the FBI After Our Cyber Incident?
• Who is in charge of discussing the incident with your insurance broker? This step can be overlooked because there is a lot going on and corporate employees are hesitant to tell anyone what is happening. Discuss with your trusted insurance broker in advance how a sensitive incident will be handled so that you can take full advantage of your cyber insurance policy in a timely way. For more on how to handle ransomware attacks, including information on how to report claims and what happens after that, see Woodruff Sawyer’s: Ransomware Attacks and Your Cyber Insurance: A Complete Action Plan.

The threat of ransomware is so overwhelming that it is easy to just hope that it won’t happen to your company. Unfortunately, hope is not a strategy—and directors have a fiduciary duty to do more than just hope.

The good news is that taking the time to put together an actionable plan will go a long way to mitigate the stress, damage, and havoc that a ransomware event would otherwise wreak on a company.