The Board’s Role in Ransomware Preparedness and Response

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, outlines how directors can structure oversight of ransomware preparedness and response, focusing on risk governance, scenario planning, and decision-making under pressure.

Introduction

Ransomware has become one of the most disruptive and persistent threats facing businesses. For boards, ransomware is a strategic business risk that can compromise operations, reputation, and financial stability.

Effective oversight of ransomware preparedness and response goes beyond high-level updates, incorporating quantified impact analyses, scenario-tested response plans, and clear decision-making authorities.

Key Focus Areas for Boards

• Ensure management develops and tests a comprehensive ransomware incident response plan.
• Review risk transfer strategies (e.g., cyber insurance) and how they align with the company’s risk appetite and business model.
• Confirm cross-functional involvement in ransomware response, including legal, compliance, communications, and operations.
• Evaluate whether ransomware risks are being quantified using economic and empirical data.
• Establish clear escalation protocols for reporting ransomware incidents to the board.
• Establish relationships with external parties and stakeholders that may be required such as law enforcement, regulators, and customers.

Strategic Risk Framing

Request that management present ransomware scenarios as part of the organization’s broader enterprise risk management (ERM) framework. This includes stress-testing assumptions about recovery times, operational continuity, and financial losses. Viewing ransomware through the lens of strategic risk allows the board to evaluate trade-offs between investments in resilience, cyber insurance, and potential downtime costs.

Empirical and Economics-Based Assessment

Request quantitative risk models that measure ransomware impacts in dollars and probabilities. This enables informed decisions about whether to invest in preventive technologies, purchase additional insurance coverage, or accept certain residual risks. Questions should focus on whether management uses frameworks for cyber-risk quantification (e.g., FAIR model) and whether the data is benchmarked against industry peers.

Board Oversight of Incident Response

Ransomware attacks unfold rapidly, leaving little time for ad hoc decision-making. Confirm that a pre-approved ransomware incident response plan is in place and is cross-functional—legal, finance, communications, IT, and operations all play critical roles. The plan should also include pre-negotiated retainers for response services such as digital forensics and incident response (DFIR) services, breach counsel, dark web intelligence services, and ransom negotiators that can enable quick activation in the event of an incident. Consider participating in or observing tabletop exercises that simulate a ransomware event.

Decision-Making and Escalation

A central governance question is: Who decides whether to pay a ransom? Confirm that clear escalation thresholds exist, and that they specify whether management or the board is responsible for those decisions. Directors may not make the final call, but they must be briefed on the rationale, legal implications (e.g., OFAC restrictions on payments to sanctioned entities), and alternatives, such as restoring from backups.

Resilience and Business Continuity

Probe whether the organization can withstand an extended outage. This involves understanding recovery point objectives (RPOs) and recovery time objectives (RTOs) for critical systems, as well as reliance on cloud providers for rapid restoration. Investments in offline, immutable backups are now considered table stakes.

Legal and Disclosure Obligations

Ransomware often triggers regulatory disclosure requirements (e.g., SEC cyber disclosure rules, GDPR breach notification in Europe). Boards must know whether management has a framework for timely reporting and how decisions are documented to demonstrate due diligence.

External Relationships and Systemic Risk

Ransomware resilience is not solely internal; supply chains and cloud vendors are frequent attack vectors. Boards should expect reporting on vendor risk assessments, contractual obligations for incident reporting, and participation in industry collaboration bodies (e.g., ISACs, CISA JCDC).

Questions Boards Can Ask Management About Ransomware with Sample Responses

• Preparedness: Does management have a tested incident response plan for ransomware, and how often is it updated and exercised? Is there dedicated response, legal, and communications support “on call” via retainers?
  • Sample Response: Our Incident Response plan has specific scenarios on ransomware and is updated and exercised annually.
• Economic Impact: How do we quantify the financial exposure from ransomware attacks, and how does it affect our enterprise risk appetite?
  • Sample Response: We employ quantified risk assessments aligned with enterprise risk appetite.
• Decision Rights: Who has the authority to decide whether to pay a ransom, and under what circumstances would that decision be elevated to the board?
  • Sample Response: Our policy strongly discourages paying ransomware demands, in alignment with US law enforcement guidance and ethical risk practices. However, in a scenario where human safety or existential business survival is at risk, we reserve the right to escalate and consult law enforcement and legal counsel before deciding. All payments, if ever considered, require board notification and compliance checks.
• Resilience: What redundancies (backups, cloud failover, business continuity plans) are in place to sustain critical operations if systems are locked, and have they been tested?
  • Sample Response: Our redundancies include regular backups, failover solutions, and comprehensive business continuity plans.
• Legal and Disclosure: What are our regulatory obligations for disclosure of ransomware events, and is the board informed of them in real time?
  • Sample Response: Internal policies and processes drive how we commit to our disclosure obligations.
• Third-Party Risks: How are we evaluating ransomware vulnerabilities in our supply chain and cloud service providers?
  • Sample Response: Our contracts contain supplier risk assessments and audit rights that are reviewed by the security team to ensure they remain aligned with the organization’s risk appetite.

Return: Toolkit For Action