Cyber risk oversight is an increasingly important board function as ransomware has quickly become one of the biggest cyber threats. Ransomware—a type of malware that employs encryption to hold a victim’s information at ransom—has been around for decades but has increased significantly in recent years, particularly as workforces transitioned to remote work during the COVID-19 pandemic. As these attacks grow more frequent, the board of directors has a fiduciary responsibility to prioritize cybersecurity to reduce the company’s risk and be prepared to respond to a worst-case scenario.
A ransomware attack can result in reputational damage, business interruptions, regulatory risk, and liability for directors and officers (D&Os). Lawsuits filed in the past several years reflect an emerging expectation of holding D&Os personally liable if it’s found that they failed to ensure proper policies were in place to protect the company or if misleading statements were issued about the company’s preparedness. In addition, some ransom payments could be in violation of U.S. anti-money-laundering and sanctions laws.
Trends involving ransomware are ever-evolving; for example, the average ransomware demand surged by 518% in 2021 compared to 2020. Other trends include:
- Phishing emails—In 2021, phishing emails—fraudulent messages disguised as legitimate—were used to deploy the majority of ransomware attacks.
- Ransomware as a service (RaaS)—RaaS is a pay-for-use malware that provides amateur attackers with the necessary code and operational infrastructure to launch and maintain a ransomware campaign.
- Double extortion—With double extortion, attackers not only encrypt system information but also threaten to leak it to the public if payment is not received.
To combat these trends, D&Os should consider the following:
- Discuss cybersecurity regularly. D&Os should remain informed about threats to their organization’s cybersecurity. The role of Chief Information Security Officer has grown in importance for managing risk and staying in the know about emerging cyber risk trends.
- Implement cybersecurity best practices. Multifactor authentication, identity access and privileged access should be integrated on companywide systems across all devices.
- Ensure data is backed up. Backing up data offline or out-of-band is the single most effective way to recover from a ransomware infection. Test backups regularly.
- Prepare a response playbook. In the event of a ransomware attack, guidance outlining roles, responsibilities and next steps should be in place.
When boards have an actionable plan, they can mitigate the stress, damage and havoc of a ransomware attack. For more risk management guidance, contact us today.
©Zywave, All rights reserved.
