More than three decades after hackers unleashed the first ransomware scam, attacks on organizations and institutions persist. Ransomware is more dangerous than ever: The number of threat actors, along with their sophistication and reach, is rising, and they can tap into technologies and dark networks previously unavailable. Ransomware-as-a-service models lower barriers to entry for would-be criminals and offer help desks for support and assistance with attacks.
Defenses are improving and evolving as security offices strive to keep pace with the latest threats. But there are always fresh points of attack, and no Internet-connected organization is bulletproof. Digitalization, remote work and third-party partnerships are all creating greater vulnerability. And with threat actors targeting based on the ability to pay and known network vulnerabilities, ransom demands are growing, with threatened punishments for nonpayment becoming ever harsher.
What’s the board’s role in dealing with ransomware?
Management is charged with addressing cybersecurity risk, which includes protecting, detecting and, in the worst case, recovering from ransomware; it has become a tier-one CISO priority. In their oversight roles, directors need to understand foundational elements of their companies’ risk management programs and be comfortable with the information they’re receiving.
How can a board stay on top of this ever-shifting risk and build confidence in the organization’s ability to prevent and manage attacks? It begins with asking questions, and the first round should address cyber hygiene: whether management has established fundamental security controls that are operating effectively to prevent ransomware attacks—for example, network segmentation, data backups, multifactor authentication, password controls and ensuring that remote desktop protocol is protected or disabled.
If and when an attack comes…
Resilience planning is key. Management will want to have an ongoing process to evaluate and battle-test the organization’s cyber recovery capabilities. Of particular importance are written incident response plans. Relevant stakeholders should be participating in ransomware-focused tabletop exercises or live recovery exercises to prepare for adequately responding to and recovering from an attack. Efforts could include defining mission-critical systems and their dependencies, determining recovery priority order and maintaining segmented backups and recovery networks. After all, threat actors are by nature untrustworthy, and there’s no guarantee that an attacker who steals or encrypts data will restore it as agreed.
The board should confirm that management has lined up the resources to support a ransomware response, including law enforcement, outside counsel and a third-party response firm to provide technical expertise and additional resources to quickly investigate, contain and help recover from an attack. Retainers with appropriate organizations—for instance, a broker to assist in paying ransoms in cryptocurrency— should at least be discussed.
To pay or not to pay?
A policy of refusing to negotiate with ransomware attackers under any circumstances may be appealing but may also be unrealistic. Directors need to engage and discuss with management to make a pay-or-no-pay decision in the event of a breach.
Consider, too, that paying a ransom significantly increases the risk of becoming a repeat target, since other threat actors may see payment as an invitation for further targeting. Ransom payments, whether direct or via insurance, support attackers’ activity, helping to fund cybercriminal operations and allowing them to develop even more advanced methods of infiltrating vulnerable businesses.
There’s also the issue of whether paying a threat actor is legal, based on, for instance, Office of Foreign Assets Control guidance. A ransom payment could trigger questions as to whether the company is funding criminal groups, terrorism, sanctioned organizations and/or rogue states.
Carrying cyber insurance that covers ransomware reimbursements is a consideration. If it’s used, management and the board should be aware of the limits of coverage prior to any attack, including the necessity of showing evidence of attempted negotiation before the insurer covers the payment, or whether coverage is forfeited if the insurer recommends payment and the company elects not to—or vice versa.
And there are broader questions and business implications that accompany the decision to pay or not pay a ransom: reputational, legal, financial and operational. Management needs to evaluate all of the risks before making a decision.
Directors shouldn’t wait until a bad actor directly attacks the organization’s computer system to prepare for a ransomware threat. It’s critical to ask management questions now and understand how the board fits into the company’s overall response strategy.
