Ransomware attacks continue to rise and make global headlines as the number of threat actors multiply, their sophistication rises, and ransom demands become higher and higher. The proliferation of attacks is partly driven by the development of ransomware as a service model that lowers barriers to entry and offers criminal clients help desks for support and professional negotiators. Add to this environment the digitalization of companies and remote workforce, along with the increased number of companies doing business with third parties these all create greater vulnerability to ransomware attacks. And, threat actors have a strategy for who they target based on the ability to pay and known network vulnerabilities.
Management’s role is to manage the risk related to cybersecurity broadly and ransomware specifically. That said, it’s important for directors to understand key foundational elements of the risk management program and be comfortable with the responses they’re receiving. But how do boards stay on top of this moving risk? And how do they have meaningful discussions with senior executives on the topic? The best place to start is by asking questions.
There are significant business implications to consider when making a payment including reputational, legal, financial, and operational. Has management considered the impact on operations if it does not pay a ransom? Is management confident in its ability to successfully recover operations if it does not pay? Has management considered the brand impact to its stakeholders if a ransom is paid? Paying a ransom is a risk based decision. Management will need to evaluate the various risks before deciding to pay.
Don’t wait until you are a victim to prepare for a ransomware attack. It’s critical to ask management questions now and understand how your board fits into the company’s overall response strategy.
Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US
Principal, Cybersecurity and Privacy, PwC US