No Match Found
Ransomware attacks continue to rise and make global headlines as the number of threat actors multiplies, the sophistication of attacks rises and ransom demands become higher and higher. The proliferation of attacks is partly driven by the development of ransomware as a service model that lowers barriers to entry and offers criminal clients help desks for support and professional negotiators. When you add to this environment the digitalization of businesses, the creation of a remote workforce and the increased number of companies doing business with third parties, you inevitably create greater vulnerability to ransomware attacks. Further, threat actors now have a strategy for who they target based on a company’s ability to pay and its known network vulnerabilities.
Management’s role is to manage the risk related to cybersecurity broadly and ransomware specifically. That said, it’s important for directors to understand key foundational elements of the risk management program and be comfortable with the responses they’re receiving. But how do boards stay on top of this moving risk? And how do they have meaningful discussions with senior executives on the topic? The best place to start is by asking questions.
There are significant business implications to consider when making a payment that span reputational, legal, financial, and operational impacts. Has management considered the impact on operations if it does not pay a ransom? Is management confident in its ability to successfully recover operations if it does not pay? Has management considered the brand impact to its stakeholders if a ransom is paid? Paying a ransom is a risk-based decision. Management will need to evaluate the various risks before deciding to pay.
Don’t wait until you are a victim to prepare for a ransomware attack. It’s critical to ask management questions now and understand how your board fits into the company’s overall response strategy.
Principal, Cybersecurity and Privacy, PwC US