Boards and Ransomware: Dealing with the Devil

By Betsy Atkins; Bill Lenehan contributed to this report

Bill Lenehan

For all the clever coding involved, most ransomware delivers a crude, deadly message when it strikes your company. Important company files are locked, and can be destroyed, unless you pay a specific ransom amount to an anonymous recipient with a short deadline. But if your top management, information technology team and board of directors have devoted some time, thought and resources in advance, you’ll know how to respond.

In my own recent boardroom experience, I’ve been an evangelist for getting boards active in setting and assuring effective corporate digital policies. Much of this should be basic good governance for the 21st century. However, the special dangers of digital hostage-taking demand a unique corporate governance role. If common hackers penetrate your systems to steal data, company priorities are never in doubt—you assess and limit the damages, and learn from the attack.

Ransomware is existentially different, and goes to the heart of a board’s fiduciary role. Do we as a company pay a ransom demand—or do we take the moral high ground and say no? Your board needs to tackle this question now, before an attack. The major ransomware strains offer a short time frame to comply. Convening a board meeting that quickly for a flash crisis would be both impractical and unwise. Further, the actual ransom itself can be oddly small. Would you really convene an emergency board session to discuss spending $1,000?

I’ve seen ransom demands firsthand at one of my boards. Here are some ideas specifically targeted at the unique threat of ransomware:

• Get your ethical discussion out of the way now. Your top executives and IT staff need guidance from the boardroom on the big question of whether or not the company should submit. The call is not an easy one. Losing business (and perhaps the business itself) by taking the moral high ground is not your call as a shareholder fiduciary. Your No. 1 mission is to protect the business for investors. Hold this debate now at the board level, before a hacker’s message pops up on your screen.

• Shape a corporate ransomware policy based on this discussion. Take these strategic principles and turn them into a working tactical policy. Include functional steps, such as who is to be notified, who makes the final payment decision, damage/cost tradeoffs to weigh, etc. Also, ask if you will even be able to pay the crooks. At a major company whose board I serve, we faced a short-term ransomware demand, and decided we had to pay. But the hackers demanded payment in bitcoin, and the company didn’t have a bitcoin account. This took two days to set up, by which time the deadline had passed.

• Fight hackers with unconventional warfare. Push IT to innovate outside its normal comfort zone. Third-party vendors such as Optiv, SecureWorks and Stroz Friedberg specialize in penetration testing, 24/7 threat monitoring and ethical hacking. Your IT team says it has the latest software updates and threat assessments? Good—but contract with outside experts who can make sure. The expenses involved should be modest, and today are a basic cost of doing business, like insurance.

• Speaking of insurance, check your liability and other business policies when it comes to ransomware costs. Which losses are covered, which aren’t, what compliance measures must you have in place, and what are disqualifiers? Also, how should your company decide on making a claim? (If you file a claim for a ransomware payment of $5,000, will your premiums shoot up?)

Ultimately, boards and management must respond to a ransomware crisis as they do any company crisis. They must assure good response tools and plans are in place and functioning, ask tough questions, and assure that everyone knows their role. But for the board, ransomware prep demands an added step—asking yourself if you’re ready to deal with the devil.

Betsy Atkins has a newly updated book, Behind Boardroom Doors: Lessons of a Corporate Director. Atkins is a serial entrepreneur and three-time CEO. She is CEO and founder of Baja Corp. and on the board of Cognizant, Schneider Electric and Volvo.

Bill Lenehan, a longtime real estate executive, is CEO of FCPT, created from the spinoff of Darden Restaurants’ real estate. He previously served on Darden’s board as a member of its corporate governance committee and chairman of its real estate and finance committee.

You May Also Like

NAIOP South Florida Appoints Officers, Executive Board and Board of Directors for 2022

NAIOP South Florida, a Commercial Real Estate Development Association offering advocacy, education and business opportunities to its members, has announced the following officers for the 2022 Board of Directors: President:

Pride Week Festival Begins With Tribute to Pulse Nightclub Survivor

Miami Beach Pride’s week-long festivities will commence with a special tribute to the LGBTQ+ community honoring the victims of the tragic shooting at Pulse Nightclub in Orlando. A ceremonial “flip

Surfside luxury condo sees notable sales

Arte at Surfside is making waves. There’s, of course, the news that Ivanka Trump and Jared Kushner are renting at the 16-resident luxury condominium. And there’s the December penthouse sale

Up in the Air: A Discussion

In a dynamic region where residents are typically on the move, everyone is wondering about the health of the airline industry and the safety of airports and airplanes. Everyone is

Other Posts

South Florida Yachting Legend Passes

Robert “Bob” Roscioli, an icon in the South Florida marine industry, has passed away. Many recognize the name Roscioli from the widely-successful and world-renowned Roscioli Yachting Center, a full service

Four key steps

[vc_row css_animation=”” row_type=”row” use_row_as_full_screen_section=”no” type=”full_width” angled_section=”no” text_align=”left” background_image_as_pattern=”without_pattern”][vc_column width=”2/3″][vc_column_text] What a crazy time we are all experiencing. Right now, getting back to basics is most important. It is not and

Pandemic adds to worries about hurricane season

An above-normal 2020 Atlantic hurricane season is expected, according to forecasters with NOAA’s Climate Prediction Center, a division of the National Weather Service. The outlook predicts a 60% chance of

The difference between leading and managing

[vc_row css_animation=”” row_type=”row” use_row_as_full_screen_section=”no” type=”full_width” angled_section=”no” text_align=”left” background_image_as_pattern=”without_pattern”][vc_column width=”2/3″][vc_column_text] Leadership and management are often misunderstood as one in the same. They are not. Certainly, a good leader should be able

Drew Limsky

Drew Limsky



Drew Limsky joined Lifestyle Media Group in August 2020 as Editor-in-Chief of South Florida Business & Wealth. His first issue of SFBW, October 2020, heralded a reimagined structure, with new content categories and a slew of fresh visual themes. “As sort of a cross between Forbes and Robb Report, with a dash of GQ and Vogue,” Limsky says, “SFBW reflects South Florida’s increasingly sophisticated and dynamic business and cultural landscape.”

Limsky, an avid traveler, swimmer and film buff who holds a law degree and Ph.D. from New York University, likes to say, “I’m a doctor, but I can’t operate—except on your brand.” He wrote his dissertation on the nonfiction work of Joan Didion. Prior to that, Limsky received his B.A. in English, summa cum laude, from Emory University and earned his M.A. in literature at American University in connection with a Masters Scholar Award fellowship.

Limsky came to SFBW at the apex of a storied career in journalism and publishing that includes six previous lead editorial roles, including for some of the world’s best-known brands. He served as global editor-in-chief of Lexus magazine, founding editor-in-chief of custom lifestyle magazines for Cadillac and Holland America Line, and was the founding editor-in-chief of Modern Luxury Interiors South Florida. He also was the executive editor for B2B magazines for Acura and Honda Financial Services, and he served as travel editor for Conde Nast. Magazines under Limsky’s editorship have garnered more than 75 industry awards.

He has also written for many of the country’s top newspapers and magazines, including The New York Times, Washington Post, Los Angeles Times, Miami Herald, Boston Globe, USA Today, Worth, Robb Report, Afar, Time Out New York, National Geographic Traveler, Men’s Journal, Ritz-Carlton, Elite Traveler, Florida Design, Metropolis and Architectural Digest Mexico. His other clients have included Four Seasons, Acqualina Resort & Residences, Yahoo!, American Airlines, Wynn, Douglas Elliman and Corcoran. As an adjunct assistant professor, Limsky has taught journalism, film and creative writing at the City University of New York, Pace University, American University and other colleges.