Boards and Ransomware: Dealing with the Devil
By Betsy Atkins; Bill Lenehan contributed to this report
For all the clever coding involved, most ransomware delivers a crude, deadly message when it strikes your company. Important company files are locked, and can be destroyed, unless you pay a specific ransom amount to an anonymous recipient with a short deadline. But if your top management, information technology team and board of directors have devoted some time, thought and resources in advance, you’ll know how to respond.
In my own recent boardroom experience, I’ve been an evangelist for getting boards active in setting and assuring effective corporate digital policies. Much of this should be basic good governance for the 21st century. However, the special dangers of digital hostage-taking demand a unique corporate governance role. If common hackers penetrate your systems to steal data, company priorities are never in doubt—you assess and limit the damages, and learn from the attack.
Ransomware is existentially different, and goes to the heart of a board’s fiduciary role. Do we as a company pay a ransom demand—or do we take the moral high ground and say no? Your board needs to tackle this question now, before an attack. The major ransomware strains offer a short time frame to comply. Convening a board meeting that quickly for a flash crisis would be both impractical and unwise. Further, the actual ransom itself can be oddly small. Would you really convene an emergency board session to discuss spending $1,000?
I’ve seen ransom demands firsthand at one of my boards. Here are some ideas specifically targeted at the unique threat of ransomware:
• Get your ethical discussion out of the way now. Your top executives and IT staff need guidance from the boardroom on the big question of whether or not the company should submit. The call is not an easy one. Losing business (and perhaps the business itself) by taking the moral high ground is not your call as a shareholder fiduciary. Your No. 1 mission is to protect the business for investors. Hold this debate now at the board level, before a hacker’s message pops up on your screen.
• Shape a corporate ransomware policy based on this discussion. Take these strategic principles and turn them into a working tactical policy. Include functional steps, such as who is to be notified, who makes the final payment decision, damage/cost tradeoffs to weigh, etc. Also, ask if you will even be able to pay the crooks. At a major company whose board I serve, we faced a short-term ransomware demand, and decided we had to pay. But the hackers demanded payment in bitcoin, and the company didn’t have a bitcoin account. This took two days to set up, by which time the deadline had passed.
• Fight hackers with unconventional warfare. Push IT to innovate outside its normal comfort zone. Third-party vendors such as Optiv, SecureWorks and Stroz Friedberg specialize in penetration testing, 24/7 threat monitoring and ethical hacking. Your IT team says it has the latest software updates and threat assessments? Good—but contract with outside experts who can make sure. The expenses involved should be modest, and today are a basic cost of doing business, like insurance.
• Speaking of insurance, check your liability and other business policies when it comes to ransomware costs. Which losses are covered, which aren’t, what compliance measures must you have in place, and what are disqualifiers? Also, how should your company decide on making a claim? (If you file a claim for a ransomware payment of $5,000, will your premiums shoot up?)
Ultimately, boards and management must respond to a ransomware crisis as they do any company crisis. They must assure good response tools and plans are in place and functioning, ask tough questions, and assure that everyone knows their role. But for the board, ransomware prep demands an added step—asking yourself if you’re ready to deal with the devil. ↵
Betsy Atkins has a newly updated book, Behind Boardroom Doors: Lessons of a Corporate Director. Atkins is a serial entrepreneur and three-time CEO. She is CEO and founder of Baja Corp. and on the board of Cognizant, Schneider Electric and Volvo.
Bill Lenehan, a longtime real estate executive, is CEO of FCPT, created from the spinoff of Darden Restaurants’ real estate. He previously served on Darden’s board as a member of its corporate governance committee and chairman of its real estate and finance committee.