Boards and Ransomware: Dealing with the Devil

By Betsy Atkins; Bill Lenehan contributed to this report

Bill Lenehan

For all the clever coding involved, most ransomware delivers a crude, deadly message when it strikes your company. Important company files are locked, and can be destroyed, unless you pay a specific ransom amount to an anonymous recipient with a short deadline. But if your top management, information technology team and board of directors have devoted some time, thought and resources in advance, you’ll know how to respond.

In my own recent boardroom experience, I’ve been an evangelist for getting boards active in setting and assuring effective corporate digital policies. Much of this should be basic good governance for the 21st century. However, the special dangers of digital hostage-taking demand a unique corporate governance role. If common hackers penetrate your systems to steal data, company priorities are never in doubt—you assess and limit the damages, and learn from the attack.

Ransomware is existentially different, and goes to the heart of a board’s fiduciary role. Do we as a company pay a ransom demand—or do we take the moral high ground and say no? Your board needs to tackle this question now, before an attack. The major ransomware strains offer a short time frame to comply. Convening a board meeting that quickly for a flash crisis would be both impractical and unwise. Further, the actual ransom itself can be oddly small. Would you really convene an emergency board session to discuss spending $1,000?

I’ve seen ransom demands firsthand at one of my boards. Here are some ideas specifically targeted at the unique threat of ransomware:

• Get your ethical discussion out of the way now. Your top executives and IT staff need guidance from the boardroom on the big question of whether or not the company should submit. The call is not an easy one. Losing business (and perhaps the business itself) by taking the moral high ground is not your call as a shareholder fiduciary. Your No. 1 mission is to protect the business for investors. Hold this debate now at the board level, before a hacker’s message pops up on your screen.

• Shape a corporate ransomware policy based on this discussion. Take these strategic principles and turn them into a working tactical policy. Include functional steps, such as who is to be notified, who makes the final payment decision, damage/cost tradeoffs to weigh, etc. Also, ask if you will even be able to pay the crooks. At a major company whose board I serve, we faced a short-term ransomware demand, and decided we had to pay. But the hackers demanded payment in bitcoin, and the company didn’t have a bitcoin account. This took two days to set up, by which time the deadline had passed.

• Fight hackers with unconventional warfare. Push IT to innovate outside its normal comfort zone. Third-party vendors such as Optiv, SecureWorks and Stroz Friedberg specialize in penetration testing, 24/7 threat monitoring and ethical hacking. Your IT team says it has the latest software updates and threat assessments? Good—but contract with outside experts who can make sure. The expenses involved should be modest, and today are a basic cost of doing business, like insurance.

• Speaking of insurance, check your liability and other business policies when it comes to ransomware costs. Which losses are covered, which aren’t, what compliance measures must you have in place, and what are disqualifiers? Also, how should your company decide on making a claim? (If you file a claim for a ransomware payment of $5,000, will your premiums shoot up?)

Ultimately, boards and management must respond to a ransomware crisis as they do any company crisis. They must assure good response tools and plans are in place and functioning, ask tough questions, and assure that everyone knows their role. But for the board, ransomware prep demands an added step—asking yourself if you’re ready to deal with the devil.

Betsy Atkins has a newly updated book, Behind Boardroom Doors: Lessons of a Corporate Director. Atkins is a serial entrepreneur and three-time CEO. She is CEO and founder of Baja Corp. and on the board of Cognizant, Schneider Electric and Volvo.

Bill Lenehan, a longtime real estate executive, is CEO of FCPT, created from the spinoff of Darden Restaurants’ real estate. He previously served on Darden’s board as a member of its corporate governance committee and chairman of its real estate and finance committee.

You May Also Like

Pride Week Festival Begins With Tribute to Pulse Nightclub Survivor

Miami Beach Pride’s week-long festivities will commence with a special tribute to the LGBTQ+ community honoring the victims of the tragic shooting at Pulse Nightclub in Orlando. A ceremonial “flip the switch” lighting event will illuminate the iconic 1111 Lincoln Road parking garage in pride colors as a sign of solidarity. It is the second

Surfside luxury condo sees notable sales

Arte at Surfside is making waves. There’s, of course, the news that Ivanka Trump and Jared Kushner are renting at the 16-resident luxury condominium. And there’s the December penthouse sale for $33 million. But other sales are heating up the oceanfront property at 8955 Collins Ave. developed by Alex Sapir and Giovanni Fasciano (both pictured

Up in the Air: A Discussion

In a dynamic region where residents are typically on the move, everyone is wondering about the health of the airline industry and the safety of airports and airplanes. Everyone is eagerly looking for signs about when air travel will begin to normalize. Against this backdrop of COVID-19, South Florida Business & Wealth organized a virtual

South Florida Yachting Legend Passes

Robert “Bob” Roscioli, an icon in the South Florida marine industry, has passed away. Many recognize the name Roscioli from the widely-successful and world-renowned Roscioli Yachting Center, a full service shipyard catering to South Florida’s marine industry. Bob built this business as a passion project, and because of his attention to detail and unique skill,

Other Posts

Four key steps

[vc_row css_animation=”” row_type=”row” use_row_as_full_screen_section=”no” type=”full_width” angled_section=”no” text_align=”left” background_image_as_pattern=”without_pattern”][vc_column width=”2/3″][vc_column_text] What a crazy time we are all experiencing. Right now, getting back to basics is most important. It is not and will not be business as usual right away. As leaders, you need to do the right thing to create an atmosphere of support with processes.

Pandemic adds to worries about hurricane season

An above-normal 2020 Atlantic hurricane season is expected, according to forecasters with NOAA’s Climate Prediction Center, a division of the National Weather Service. The outlook predicts a 60% chance of an above-normal season, a 30% chance of a near-normal season and only a 10% chance of a below-normal season. The Atlantic hurricane season runs from

The difference between leading and managing

[vc_row css_animation=”” row_type=”row” use_row_as_full_screen_section=”no” type=”full_width” angled_section=”no” text_align=”left” background_image_as_pattern=”without_pattern”][vc_column width=”2/3″][vc_column_text] Leadership and management are often misunderstood as one in the same. They are not. Certainly, a good leader should be able to manage and vice versa. But, it is important to understand the difference. Both are important to the success of an organization. The key difference

Flattening the housing curve in a pandemic

By Josh Migdal In the classic film Groundhog Day (and yes, it is a classic), Bill Murray’s character wakes up over and over again in Punxsutawney, Pennsylvania, reliving the same day for (presumably) eternity. Every morning, the alarm goes off at 6 a.m. playing I Got You Babe, assuring both the protagonist and the viewer