# Opener

5 Important Things Board Members Should Know About Ransomware Risk

Published by Axio

The recent Colonial Pipeline attack was a national wake up call about the physical consequences of a ransomware attack. Hackers successfully held Colonial’s billing systems hostage, resulting in the inability for the company to deliver 45% of the nation’s fuel. Cyber events like a ransomware attack are becoming more frequent, and an issue of national security. Board members in particular are losing sleep, trying to understand the true impact and consequences of a ransomware attack if it happens. It’s possible to be better prepared and sleep well at night. We’ve helped many corporate boards gain this level of understanding. This article shares 5 important things board members should know about ransomware risk.

Cyber Insurance Policies are Getting Very Expensive 

Cyber insurance policies are unlike most other insurance policies. Cyber risk is a relatively new risk for insurers to cover without a clear set of actuarial data. Because of the recent ransomware scourge, coverage prices are increasing, and coverage is getting more expensive. In 2020, many insurers lost money on their cyber insurance lines of business. Ransom payments themselves are generally covered by a company’s insurance or their kidnap and ransom policy. However, the insurer often is on the hook to cover other costs associated with a ransomware attack which include remediation and recovery after the event transpired. In fact, some insurers are pulling out of the cyber insurance sector because it’s more cost-effective to not offer coverage at all. Those that do not pull out altogether will simply continue to increase the coverage rates. This is going to continue until the ransomware epidemic is under control. It’s vital board members understand the trend of rising costs of insurance and think of other mechanisms to reduce the risk.

Paying Ransom is a Last Resort

When targeted by a ransomware attack, board members may be inclined to immediately pay the ransom to minimize the downsides commonly associated with attacks, such as service downtime and company reliability. Payments should be the last resort to an attack. The propensity and willingness to pay has fueled the increase in ransomware attacks, as hackers have realized that most targets will pay the ransom quickly. This has led to the rise of what’s known as big game hunting ransomware, in which hackers get into the network via various methods, escalate their account to domain admin, and give themselves access to everything on the network. This allows them to command an even higher ransom. Paying the ransom does not clear companies of either the ethical or physical issue though. Beyond the continuation of encouragement to commit ransomware attacks, paying a ransom will not relieve you of the data breach aspect. Companies must recognize that everything touched by an attack is compromised.

Financial Impacts Aren’t Limited to Technology

The financial costs of a ransomware attack are not limited to targeted technology. For many of our clients, we use the Axio360 platform to quantify the impacts of a ransomware event. Other costs include PR response and reactionary internal process updates, along with the ransom fee and replacement of compromised technology. Through our work with customers, we’ve realized the upfront cost of a more effective cybersecurity framework is not that expensive in isolation and is even less expensive in comparison to the price of recovering post-attack. Using things like quantification exercises, which allow companies to prepare for worst-case scenarios is a very fast way to see how much is at stake in dollars and cents. These scenarios represent every possible ransomware attack, including what would happen were attackers able to access the data backups of targets. Proactive preparation reduces potential costs, but no preparation increases potential costs tenfold.

Don’t Negotiate on Your Own

Despite the appeal to get a ransomware situation dealt with as quickly as possible, it’s crucial to bring in help. In this case, outsourcing negotiations will help companies with a cleaner, and likely less expensive, result. The groups that negotiate real-life events, such as the kidnapping of an executive or board member, are well equipped to negotiate a ransomware attack and will do so more effectively. They likely have resources unavailable to most, such as a stockpile of cryptocurrency like Bitcoin, in case the hackers demand payment that way. Alone, targeted companies may find it difficult to pull together the required amount of cryptocurrency in the timeframe given. Even after the recovery of a network, the external help can still assist the victim. Help desks can deploy keys to recover data encrypted by the hackers, and they can also try to recover any information that has leaked or been stolen.

Incident Response Isn’t Something to Plan After an Attack

The last, and potentially most important, consideration is that not only are incident response plans required today, but they should also be made well ahead of an attack. There must be a general incident response plan for any event, as well as event-specific playbooks. The general plan can and should include criteria for which events get escalated to the board and at what pace. Plans must have clearly defined definitions of what an incident is. Decision criteria can include a number of things, like importance of a targeted area to the company’s operations or the speed at which the hackers are moving through the network, but these criteria should be predetermined, not reactive. While this is applicable to all areas of risk, having a ransomware specific plan is particularly important. It’s an opportunity for an organization to think about how they can compartmentalize their network without shutting everything down and create different methods to shut down different areas of a network. It’s much better to sacrifice one piece of the puzzle as opposed to trying to save one part of a network and exposing the rest of it.

Ransomware Action Plan Time

Protecting your infrastructure can be confusing to first take on, and assuming an attack would never happen to you is the biggest mistake you can make. However, it’s not all doom and gloom just yet. It’s true that most cybersecurity tools just don’t have the capability to prevent ransomware. A more holistic approach is needed to balance technology and insurance. And preparation is key. You can build a ransomware action plan in under 2 hours with our new product: Ransomware Action Planner (RAP). It comes with a free 1-year subscription the Axio360 platform. Get started now with a free advisory consultation.


Learn more about our Ransomware Preparedness Assessment.