Interesting article on the latest case in the United States of a ransomware attack targeting a governmental entity (and, as a result, its citizens), forcing the entity to pay the extorsion in order to (hopefully, although uncertain) restore their data. Previous incidents include Baltimore and Atlanta, which were asked for significantly larger amounts to release their data.
This event presents a number of learnings for Board members and similar governing bodies (in this case, members of the City Council) of any company, public or private.
For one thing, it serves as an effective reminder of the need to 1) incorporate a Board member with cyber security expertise; 2) make sure that the rest of the board members acquire a basic level of understanding of cybersecurity risks and threats; 3) confirm that all board members understand their responsibilities, as referred to cybersecurity risks; 4) ensure proper understanding of the regulatory requirements applicable to the company’s industry; and 5) oversee the definition, implementation and execution by the company (as well as its vendors) of a cyber risk, enterprise-wide, program and culture, properly resourced and staffed.
On the other hand, and more specifically for ransomware, this event reminded me of a Diligent Insights article that I read some time back, written by Betsy Atkins, an experienced Board member, with some board ideas specifically targeted at dealing with the unique threat of a ransomware attack, including the need to determine beforehand: [See, Boards And Ransomware: Dealing With the Devil, August 21st, 2017, by Betsy Atkins.]
- Whether the company will be willing to pay a ransom demand; this discussion will likely involve a mix of technology and ethics considerations.
- The existence of a corporate ransomware policy based on the strategic principles developed by the Board, making sure that it includes all tactical and functional steps required in case of a threat.
- How to fight hackers with unconventional warfare to the extent viable.
- The existence of liability and other business policies when it comes to hacking damages, and specifically ransomware costs, including the availability of insurance coverage under the different scenarios.
If the foregoing steps do not happen before an attack occurs, the recommendation is for the Board to convene immediately; get the ethical discussion out of the way; and provide guidance and support to Management on how to handle the incident and protect the business for investors, even if it means paying the ransom.
PD: I invite you to follow me in Twitter where I will also be publishing my articles, reflections, comments and content. You can find me, as in the others social media channels, under @dortegasosa. I look forward to your participation!