Ransomware and the board’s role: what you need to know

Ransomware attacks continue to rise and make global headlines as the number of threat actors multiply, their sophistication rises, and ransom demands become higher and higher. The proliferation of attacks is partly driven by the development of ransomware as a service model that lowers barriers to entry and offers criminal clients help desks for support and professional negotiators. Add to this environment the digitalization of companies and remote workforce, along with the increased number of companies doing business with third parties these all create greater vulnerability to ransomware attacks. And, threat actors have a strategy for who they target based on the ability to pay and known network vulnerabilities.

What you need to know

Preparing for a ransomware attack

Management’s role is to manage the risk related to cybersecurity broadly and ransomware specifically. That said, it’s important for directors to understand key foundational elements of the risk management program and be comfortable with the responses they’re receiving. But how do boards stay on top of this moving risk? And how do they have meaningful discussions with senior executives on the topic? The best place to start is by asking questions.

Experiencing a ransomware attack

There are significant business implications to consider when making a payment including reputational, legal, financial, and operational. Has management considered the impact on operations if it does not pay a ransom? Is management confident in its ability to successfully recover operations if it does not pay? Has management considered the brand impact to its stakeholders if a ransom is paid? Paying a ransom is a risk based decision. Management will need to evaluate the various risks before deciding to pay.

Conclusion

Don’t wait until you are a victim to prepare for a ransomware attack. It’s critical to ask management questions now and understand how your board fits into the company’s overall response strategy.

Contact us

Maria Castañón Moats

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US

John Boles

John Boles

Principal, Cybersecurity and Privacy, PwC US

Barbara Berlin

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Follow us