Ransomware Readiness

WHAT IS RANSOMWARE, AND WHY IS IT UNIQUE FROM OTHER CYBER THREATS?

Ransomware is a tool for extortion. It is a type of malicious software (malware) used by threat actors to block access to data or systems. Ransomware encrypts its target until the victim pays a ransom, usually with specific deadlines and requirements to be paid in cryptocurrency. In 2021, it took on average one month for an organization to recover from a ransomware attack.¹ This means one month of lost opportunity, extra device costs, the ransom itself, and more. In 2021, the average cost to cover for an organization in the United States was approximately $1.4 million dollars.² With more than 150 active variants as of 2022, ransomware has become both cost-effective and a service-based attack for cyber criminals. According to Top10VPN’s Hacking Tools Price Index, malware can be purchased for as little as $45.³ As mentioned in the Principles section of this handbook, the economics of cybersecurity tend to be upside down, as the cost to commit an attack is far less expensive than the cost of securing against, mitigating, and insuring organizations. Cybersecurity insurance is costly; accordingly, boards should ensure their management teams have clear contingencies, situational awareness, and readiness to respond to an attack.

QUESTIONS BOARDS SHOULD ASK SENIOR MANAGEMENT ON RANSOMWARE

Backup and Recovery

1. How are our system backups maintained, tested, and measured for resiliency? Here’s one follow-up question to consider asking:

a. Does the implementation of backups include reporting, metrics, and ongoing monitoring requirements?

2. In the event of a ransomware attack, are we confident that our IT systems can be restored within our specified recovery plan objectives? Are we including third-party systems and capabilities (e.g., cloud-based software) within our recovery plan?

1. Do our system backup and recovery partners’ response times align with our current timelines in our recovery plan?

Suppliers and Partners

1. Do we monitor critical third parties (those we share data with and/or have network connectivity to) for ransomware attacks? When receiving answers about this question, boards can look for details about the following:
   1. Whether we train supply-chain personnel to recognize cybersecurity risk and enable mitigation activities.
   2. Ensure third-party due diligence throughout the proposal, selection, and onboarding processes.
   3. Put a vendor-risk management framework in place with appropriate stakeholders involved and with a direct owner of this function.
2. Do we require specific ransomware and/or incident reporting from third parties within our contracts and agreements? Directors can consider asking for a follow-up:
   1. Is cybersecurity expertise leveraged during the negotiating and contracting process?
3. As part of our enterprise vendor risk management program, do we assess (and reassess incrementally) any third parties to understand their cyber-risk posture?

Response Exercises

1. Is there a clearly communicated line of accountability in the event of an attack? Are there plans for ransomware tabletops/simulation exercises so that our organization can form muscle memory around their role?
2. Are there clear thresholds related to the materiality of an attack, including triggers for engagement of senior management and/or the board?
3. Are we ready to coordinate with law enforcement in the event of a ransomware attack? Directors can ask senior management if their organizations have an established understanding of who to contact, based on the jurisdictions that they fall within:
   1. US state, local, tribal, and territorial government agencies can report ransomware attacks to the Multi-State Information Sharing and Analysis Center (MS-ISAC).
   2. Other sectors and home users should report attacks to their local FBI field office or the Internet Crime Complaint Center (IC3).
4. Does management have a clear stance on paying or not paying a ransomware demand? If an incident causes management to recommend paying a demand, have we done a walkthrough with decision makers on how the process would work?
   1. Does the board know if the organization has appropriate access to a cryptocurrency wallet and cryptocurrency expertise to make a payment? This expertise may be available via a third party such as an insurer.

Communications

1. Is there a concise communications plan across cybersecurity and technology teams and senior management? Here are some items for boards to consider asking follow-up questions about:
   1. When and how will company officers and employees be notified of the disruption?
   2. When and how will business partners and key external parties be notified?
   3. Who will be responsible for preparing and delivering a public statement on the disruption?
   4. What will be the timeline for acting on regulatory, disclosure, or compliance requirements, and who will be involved?
2. Does the plan include holding statements for various audiences (e.g., employees, customers, regulators, media)?
   1. Keep company officers, employees, business partners, and the public informed as the incident investigation progresses.

ENDNOTES

¹ Sophos.com, “Ransomware Hit 66% of Organizations Surveyed for Sophos’ Annual ‘State of Ransomware 2022.’”

² Ibid.

³ Simon Migliano, “Dark Web Market Price Index: Hacking Tools” updated on top10vpn.com on September 1, 2021. (https://www.top10vpn.com/research/dark-web-prices/hacking-tools/)

ADDITIONAL TOOLS