Ransomware and the Board’s Role: What You Need to Know

Ransomware attacks are increasingly making global headlines as the ransomware as a service ecosystem evolves, attack methods become more sophisticated and ransom demands escalate. Add to this environment the expanded use of AI to launch more sophisticated and frequent attacks, ongoing digitalization of companies, the prevalence of remote workforces, along with the increased number of companies doing business with third parties — these all may create greater vulnerability to ransomware attacks.

The proliferation of ransomware attacks has become a significant concern for companies, as threat actors continually refine their strategies to maximize impact and profit. These cybercriminals meticulously select their targets based on the presence of known vulnerabilities and the company’s ability to pay the ransom. Once successfully attacked, companies face the difficult decision of whether to pay the ransom, carefully weighing the associated risks and consequences.

Boards will want to engage with management to make sure they are strengthening their cybersecurity measures and resilience planning capabilities to defend against the threat landscape and adequately preparing for a potential ransomware attack.

Preparing for a ransomware attack

Companies would benefit from prioritizing business resiliency planning to prepare the organization to respond and recover effectively from ransomware attacks. Organizations that invest in proactive preparation seem to fare better when an attack happens by having a more coordinated and rehearsed plan with clear accountability and decision-making which can reduce operational downtime and financial loss.

To effectively prepare for a ransomware attack and engage in meaningful discussions with management, board members can focus on several key topics and questions. These discussions should aim to assess the organization’s preparedness, response capabilities and overall cybersecurity strategy. Here are questions the board can ask management:

• Good “cyber basics”: Are foundational security processes and controls effective to help prevent ransomware attacks? How do we know these processes and controls are working effectively?

Examples of key security processes and controls Network segmentation Immutable backups Multi-factor authentication across all systems Zero-trust architecture Privileged access and password controls Remote desktop protocol (RDP) protected or disabled Employee training and awareness

• Integrated resilience planning: How are we continuing to advance our cyber resiliency planning to be able to recover from an attack? Have we established a comprehensive resiliency approach that includes crisis management, disaster recovery, business continuity and incident response plans working together? Have we defined mission critical systems and their dependencies as part of our planning? Do we have clear protocols for decision-making and communications, including timely notification of significant incidents to the board?
• Tabletop exercises: When did management last participate in a ransomware-focused tabletop exercise to prepare for adequately responding to and recovering from a ransomware attack? What were the results and learnings from this exercise? The board should also periodically conduct its own ransomware tabletop exercise to practice its role and key decisions.
• Testing backup systems: When was the last time we tested our backup systems to determine if they would function effectively during recovery? How long did it take for our backup systems to successfully run operations again? What were the other results and learnings from our tests?
• Cyber insurance: How has our cyber insurance coverage changed since last year? What are the terms that management and the board need to be aware of prior to an attack?

Examples of cyber insurance terms to discuss with management What incidents are not covered Whether ransomware payments are reimbursed If there are dedicated resources that must be used when responding to an attack

• Specialist resources: Does management have the necessary resources identified on our own or through our insurance provider to support a ransomware response? Are appropriate resources on retainer? When was the last time we spoke with these resources and confirmed our arrangements?

Resource considerations to support a ransomware response Law enforcement Outside counsel Broker to assist in paying ransoms in cryptocurrency Third-party response company to provide technical expertise and additional resources to quickly investigate, contain and help recover from an attack

Deciding whether to pay a ransom

Paying a ransom is a risk-based decision. Risks to consider include reputational, brand, operational, financial and legal business implications. Boards play a crucial role in collaborating with management to decide whether to pay a ransom when successfully attacked. Preparing in advance and establishing agreed-upon guidelines for this decision is helpful when having to navigate it under pressure. Boards and management should incorporate this discussion into their ransomware resiliency planning, including specifics of how a payment would be made whether through an insurance broker, cryptocurrency advisor or another resource. As boards consider whether the company should pay the ransom, here are questions the board can ask management.

To pay or not pay a ransom: considerations and questions Alignment with corporate values. Does paying a ransom align with our corporate values? If not, are there scenarios when paying a ransom may make business sense? What are these scenarios and the factors we would consider in making the pay decision, and who would need to approve the decision? No guarantees of regaining access to data. What do we know about the likely actions of the threat actor based on previous attacks? Are there data backups we can rely on should the threat actor not provide the data as agreed? Legal and regulatory impacts. Is it legal to pay the threat actor based on the Office of Foreign Assets Control guidance, sanctioned entities or other regulations? Perpetual encouragement. What are our views on ransom payments supporting the criminal activity of threat actors and helping them continue to develop even more advanced methods of infiltrating vulnerable businesses? Double extortion. Have we considered whether there could be an additional ransom request as part of the initial extortion? The first ransom payment is to receive a decryption key and may be followed by another ransom request to have criminals agree not to leak or sell sensitive information that has been exfiltrated. Increased risk of additional attacks. Have we considered whether paying the ransom invites other threat actors to target the company? Paying a ransom can significantly increase the risk of becoming a second target by others. Insurance impacts. What does insurance cover and not cover for a ransomware attack? Will the insurer cover the ransom payment, and are there any conditions for payment (e.g., having to negotiate with threat actor, if insurer recommends payment and the company decides not to pay or vice versa)? If insurance pays the ransom, do we have sufficient coverage for other expenses?

Conclusion

Ransomware remains a formidable threat in today’s digital landscape, evolving in sophistication and impact. To effectively combat ransomware, boards must oversee a comprehensive approach that includes robust defenses and resiliency planning for dealing with an attack. Companies that are well prepared for ransomware incidents are likely to fare much better than those that are not, highlighting the importance of proactive measures and strategic oversight.