October 26, 2021

Ransomware: Board Guide for Whether to Pay

Ransomware attacks are getting more common – and responding to them is getting more difficult in light of attackers’ new techniques and regulators taking steps to discourage companies from paying. That’s according to this Milbank memo, which also points out that responding to these incidents continues to be a board issue because of the business & legal risks. In order to navigate these risks, board advisers need to have a high-level understanding of the issues and the response plan.

The memo delves into three assessments that could affect how to respond. Here’s an excerpt:

The fact that paying the ransom is not illegal in and of itself does not make deciding whether to pay any less difficult. Planning how to make that decision is key. Companies and their boards that have methodically pre-identified important factors in paying the ransom will be prepared to pragmatically and decisively address the problem when it arises. We recommend three assessments for victim companies deciding whether to pay: (i) the value of the breached data in light of modern ransomware attacks; (ii) the risks from paying the ransom; and (iii) negotiation and payment options.

On the first prong of evaluating whether paying the ransom makes sense because of the value of the stolen data, the memo suggests considering whether the captured data has been backed up or can be rebuilt, whether there are publicly available data keys that can decrypt locked data, and whether the company will face legal or regulatory claims, or reputational and relationship issues, if the stolen data is released to the public.

Liz Dunshee