Ransomware and the board: What you need to know

Ransomware attacks continue to rise and make global headlines as the number of threat actors multiplies, the sophistication of attacks rises and ransom demands become higher and higher. The proliferation of attacks is partly driven by the development of ransomware as a service model that lowers barriers to entry and offers criminal clients help desks for support and professional negotiators. When you add to this environment the digitalization of businesses, the creation of a remote workforce and the increased number of companies doing business with third parties, you inevitably create greater vulnerability to ransomware attacks. Further, threat actors now have a strategy for who they target based on a company’s ability to pay and its known network vulnerabilities.

What you need to know

Preparing for a ransomware attack

Management’s role is to manage the risk related to cybersecurity broadly and ransomware specifically. That said, it’s important for directors to understand key foundational elements of the risk management program and be comfortable with the responses they’re receiving. But how do boards stay on top of this moving risk? And how do they have meaningful discussions with senior executives on the topic? The best place to start is by asking questions.

Experiencing a ransomware attack

There are significant business implications to consider when making a payment that span reputational, legal, financial, and operational impacts. Has management considered the impact on operations if it does not pay a ransom? Is management confident in its ability to successfully recover operations if it does not pay? Has management considered the brand impact to its stakeholders if a ransom is paid? Paying a ransom is a risk-based decision. Management will need to evaluate the various risks before deciding to pay.

Conclusion

Don’t wait until you are a victim to prepare for a ransomware attack. It’s critical to ask management questions now and understand how your board fits into the company’s overall response strategy.

Contact us

Maria Castañón Moats

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

John Boles

John Boles

Principal, Cybersecurity and Privacy, PwC US

Barbara Berlin

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide