September 2, 2021

Cybersecurity: Preparing the Board for a Ransomware Attack

As Liz blogged last week, ransomware attacks seem to be multiplying and becoming more audacious with each passing day.  In the current environment, managing ransomware risk is a critical component of the board’s cyber-oversight responsibilities.  This Woodruff Sawyer blog provides practical tips on developing appropriate protocols to address ransomware threats, and on developing a plan to respond to an attack. This excerpt addresses some of the things to think about when planning to mitigate the risk of ransomware attacks:

Have you set up your systems in a way so that your business can continue to operate after a ransomware attack? This involves ensuring your data and networks can be restored from backups. Increasingly, however, bad actors are finding ways around this, including infiltrating a network and searching for backups right away. If they can encrypt backups, you may have to pay the ransom.

Do you have a detailed incident response plan? This includes knowing who owns the plan within the company and choosing your key response vendors before a cyber event occurs. It is especially important to establish ahead of time your trusted outside counsel and your investor relations team or consultant.

How will you handle communications and disclosures during and after the cyber incident? This is one area where you will want to lean on the guidance of your outside counsel. There is tremendous pressure to say something—anything—during a cyber incident. However, speaking too quickly or not being prepared can lead to ill-advised and incomplete disclosures. Think through various scenarios and consider ahead of time what will be your cadence of communications, what you will say, and who will say it. You will also need to make appropriate disclosures to agencies like the SEC. For more on this, see my colleague Dan Burke’s article on nailing your communications during a cyber event. Remember, too, that the SEC is coming down hard on companies that have executed their communication plans poorly. See recent SEC enforcement actions against First American Title Company and Pearson plc.

In what circumstances would you pay the ransom? There are several considerations when deciding whether to pay a ransom, including if you are able to restore from backups as outlined earlier as well as others highlighted in a recent article by Dan Burke on three things to consider before paying a ransom. You will also want to be sure the person or entity is not on a sanctions list managed by the US Department of the Treasury’s Office of Foreign Assets Control. This list prohibits transactions with certain people or entities as a matter of national security. The agency “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

The blog also provides insights on whether to contact the government and how to interact with your insurance carrier in the event of a ransomware attack.

By the way, now is a good time to take a hard look at the way you approach cybersecurity governance. That’s because in a speech delivered yesterday, SEC Chair Gary Gensler reiterated previous comments to the effect that the Staff is “developing a proposal for the Commission’s consideration on cybersecurity risk governance, which could address issues such as cyber hygiene and incident reporting.”

John Jenkins