Anyone who follows the news is already aware of the persistent threat of ransomware events. Board members are certainly aware, and they know what preparations their organizations are making to fend off, respond to and recover from ransomware attacks. However, they may be unaware of their own roles in the organizations’ response to ransomware and other attacks.
Chief Information Security Officers (CISOs) and other security leaders are in a unique position to educate and engage board members about cyber threats and risk, particularly ransomware. This post’s simulated scenario plays out in three distinct acts: preparation, response and recovery. This post is for CISOs and other security leaders who want to engage the board in a conversation about risk, and gain board members’ engagement, guidance and support well in advance of any cyber-attack.
Act 1: Preparing for a ransomware attack
Organizations will want to make most ransomware response decisions preemptively. Because board members are bound to have a role in a ransomware response, they’ll want to prepare accordingly, and know how, when and by whom they’ll be engaged in the event of an attack. These decisions should be made collaboratively with board members, executives and security leaders.
Security leaders can take advantage of existing board communication channels. While it’s often the CISO who updates board members about how risk is managed, the chief financial officer or chief operating officer may also fulfill this role. Whoever communicates with the board on cybersecurity matters might connect with the entire board, individual board members, or board committees concerned with risk or audit. Many boards will have one or two members who focus on cybersecurity or information technology (IT); such individuals would possess the background to ask informed questions and provide informed feedback.
Security leaders can guide conversations to keep board members well-versed in ransomware considerations. Some topics include:
- Competitive intelligence: keep boards apprised of how peers and competitors are planning for ransomware events.
- Cyber insurance: building the business case to secure coverage or monitoring for changing coverage needs.
- Policies regarding ransom payments:
- Boards and security leaders alike are not in favor of the idea of financially supporting bad actors for attacking them.
- Companies could encourage repeat attacks if they’ve paid in the past – and remain vulnerable.
- A decision to pay could be pragmatic: if a ransomware attack is catastrophic, the business could suffer extensive downtime. With no other clear path to recovery, leaders may opt to pay. Making the payment is often the fastest and most cost-effective way to unencrypt data, restore operations, and prevent fallout related to the release of sensitive data.
- Whatever preliminary decision is made about paying ransom or not, leaders are likely to make their final decisions in real-time or after the fact, and it may depend on the size and scale of the attack in question.
Key component: A ransomware readiness assessment
CISOs need to be able to describe to the board how prepared the business is to recover from a ransomware event. They need to be able to assess whether they can restore systems and resume operations before an attack renders lasting damage. In particular, they’ll want to determine the degree to which the business is ready to weather a ransomware attack. By asking the right questions, security leaders can move quickly to close the gaps they identify:
- Has the business engaged an incident response team to assist during any future attack?
- Are the right controls in place to drive down loss event frequency or reduce the likelihood of a further compromise?
- Is there a cyber incident response plan in place for the organization, and if so, has it been tested with a thorough dry run?
Key component: A cyber incident response plan
The cyber incident response plan documents the decisions made in advance of the attack. It prepares the organization to respond to threats with agility by documenting steps in a well-understood response execution.
- When and how will board members be notified once an attack is underway?
- Board members are better prepared when they know how they’ll be briefed during and after the attack, and from whom these communications will be coming.
- What are the thresholds for notifying different levels of the organization about an attack underway?
- Board members may want to be made aware before ransom payments of any amount are made – regardless of materiality.
- What is the impact of a ransomware event against us on our trading partners’ business?
- Board members should consider how a ransomware attack impacts the business’ third parties.
- What is the impact on our business of a ransomware event against our trading partners?
- Board members will want to anticipate how an attack on any third party will impact business operations.
- How and when will we notify stakeholders if their private data is stolen from us?
- Local, national and international regulations and contractual obligations will apply to this decision. Senior leaders should discuss stakeholder notification – with or without data loss – with counsel prior to an event.
- Notification requirements are independent of decisions to pay a ransom: if the data’s been stolen, notification becomes a requirement.
- Data type will cause different regulations to take effect. For example, data in the European Union is protected by the EU’s General Data Protection Regulation (GDPR); credit card data in the United States is protected by the industry’s Payment Card Information Data Security Standards (PCI-DSS).
Act 2: Responding to a ransomware attack
An organization may find itself responding to a ransomware attack. If that happens, the incident response plan becomes the guide to activity to minimize impacts. All the decisions the organization has documented in the incident response plan will accelerate decisions for the board, executives, and security professionals. First response steps include:
- As soon as an organization is attacked, respondents will want to check in with any advisors who’ve been enlisted in advance.
- Respondents should contact their cyber insurance carrier for support and guidance.
- Whether the attack results in data loss or an outage, the acknowledged best practice is to go public quickly.
- If plans are prepared correctly, cybersecurity and IT professionals will already know board expectations for involvement – including what information should be conveyed to them. Informing the board is not one single step; security leaders will want to keep the board advised and engaged in both crisis and reputation management decisions during and following the event.
- Board members will want to understand and guide decisions on crisis communications. Investor relations and public relations teams should engage outside crisis management communications firms.
Act 3: Initiating recovery
Ransomware and other cyber-attacks result in painful lessons generally, and security leaders can engage third parties to restore business services and assist with recovering from – and learning from – the event itself. Experts equipped to help with the incident response, remediation and recovery can also be engaged to prevent future ransomware attacks. Recovery must include forensics to identify system changes, data changes, root causes and vulnerabilities to ensure bad actors are sealed out, and that no malware or damage is left in their wake. Security leaders will want to check in with third parties and auditors after a cyber-attack to determine if any new information requirements or control steps emerge.
Boards benefit from a clear understanding of how their organizations are managing ransomware risk and other cyber threats. This understanding also prepares them for their own role in an effective incident response. Informing the board about how risks are managed and developing board communication protocols in advance of any event, equips the board to be effective participants in the organization’s response to and recovery from cyber-attacks, including ransomware.