Four Steps to Analyze Ransomware Risk and Protect Critical Assets

In 2017, the WannaCry and NotPetya ransomware attacks grabbed everyone’s attention as to the potential devastation such incidents can leave in their wake. Since then, ransomware attacks have continued unabated against one organization after another until, in 2021, the high-profile Colonial Pipeline and Kaseya attacks once again proved that the perpetrators of these crimes play for keeps.

Amid the headlines and uncertainty surrounding ransomware, many organizations—and their boards—are struggling to understand and manage the threat ransomware poses. How can the board respond strategically?

Reputation damage, hefty ransoms, and business continuity are all concerns with ransomware. But the core of the conversation is about the potential loss of intellectual property and customer information and the specter of unpleasant dealings with criminals and other parties who may or may not be sponsored by nation-states.

The market still doesn’t know the number and full scope of these attacks, as few companies victimized by them are eager to share their experiences. However, estimates of total ransomware costs in the United States run as high as $20 billion for 2021, and the average ransom demand tripled from the first half of 2020 to the same period this year. As underwriting standards elevate the need for additional security controls, it may become more difficult for organizations to qualify for cyber insurance.

Several things are clear: Few companies are fully protected, and no company feels safe from ransomware. And every company, regardless of size or location, is vulnerable to rogue players controlling the enterprise.

As attacks—and the attackers themselves—become increasingly sophisticated and the consequences magnified, companies must learn and respond in kind. To adapt confidently to this evolving threat landscape, they must combine operational resilience, cyber-threat intelligence, and cybersecurity—all while navigating an evolving regulatory landscape.

What can board members do to help their organizations meet the challenge of analyzing risk and protecting critical assets? Here are four suggestions.

1. Prepare the chief information security officer (CISO) for success. The CISO’s role is essential to the hygiene and security of some of the enterprise’s most important assets. The board should instill confidence in the CISO by clarifying expectations, educating itself on the issues, allowing sufficient agenda time for discussion, and paying attention when additional resources and budget are requested. The board or committee chair should assist the CISO in focusing preparations, priorities, and metrics for the boardroom by conveying their concerns.

The chair should also let the CISO present briefings to the board in response to the stated expectations and take questions requiring a more detailed response offline if limited agenda time is allotted to the cyber discussion. The CISO should be positioned as a strategic partner of the board, with active support from the board chair and CEO and also necessary interaction between meetings with interested directors.

2. Organize the board for effective cybersecurity oversight. When a ransomware attack occurs, the full board often owns the matter and is engaged until the issue is resolved and the system’s structural integrity is restored. Maintaining that integrity going forward is the primary focus of either the full board or a designated board committee.

The CISO owns the plumbing underlying the operational response, and management is responsible for its effectiveness. However, directors should expect to gain confidence from the CISO’s briefings about the response plan going forward and any third-party vendors engaged to assist in its implementation. Everyone involved should reflect on the lessons learned from past attacks and continuing assessments of the threat landscape.

The board should periodically assess whether it needs access to additional expertise—either as a member of, or an objective advisor to, the board. Options for structuring such board assessments depend on the severity of the threat landscape, the role of technology in executing the company’s business strategy, the sensitivity of the systems, and data supporting the business model.

3. Ask the right questions—and don’t overlook third parties. Many boards seek to understand how ransomware attacks have occurred and whether cybercriminals could exploit those same methods in their own organizations. Directors should not underestimate the importance of asking the right questions of management on situational awareness, strategy and operations, insider threats, incident response, and related topics. An appendix in the NACD Director’s Handbook on Cyber-Risk Oversight suggests relevant questions.

For ransomware, directors should focus on compromise assessment and on incident response and preparedness, with a view of the entire, end-to-end enterprise. A ransomware attack on third parties handling mission-critical systems and sensitive data can stop the show, just as a direct attack on the company can. If attackers discover a third party’s access privileges to company systems and data, then the company itself could come under attack.

4. Support the conversation with a dashboard of appropriate metrics. The CISO’s reporting and metrics should inform board communications and be integrated into the overall enterprise risk management dashboard. While there are many metrics to consider, attacker dwell time is critical to a ransomware attack. The longer attackers remain undetected in a network, the more likely they will be able to find systems and resources they can leverage for ransom.

Today’s ransomware attackers often are well-funded, possess business savvy, and are highly skilled in hacking methods. And they’re playing tough. While the board isn’t responsible for day-to-day operational details, its duty-of-care responsibilities in the cyber space are significant given the sensitivity of data and the value to shareholders of the company’s intellectual property, reputation, and brand image.