Clearhouse
Ransomware Defense for Boards by Betsy Atkins with input from Bill Lenehan
Publication Date: September 20, 2017

For all the clever coding involved, most ransomware delivers a very crude but deadly message when it strikes your company. Important company files are locked, and may be destroyed, unless you pay a specific ransom amount, anonymously, with a short deadline. At that point, panic sets in. But if your top management, IT team and board of directors have devoted some time, thought and resources in advance, you'll know how to respond (and might dodge the bullet altogether).

In my own recent boardroom experience, how boards should deal with cybersecurity is one of the hottest topics. I've been an evangelist for getting boards active in setting and assuring effective corporate digital policies. Much of this should be basic good governance for the twenty first century. Realize that a cyber-attack is now a matter of when not if. Make your board digitally savvy so it can ask smart questions on technology, threats, and liabilities. Assure things like up-to-date platforms, software, and third-party testing.

I should note that the majority of company hacking attacks still involve these conventional threats -- the cyber equivalent of smash-and-grab theft. However, the special dangers posed by digital hostage taking demands a unique corporate governance role. If regular hackers penetrate your systems to steal money or data, there are few shades of grey. There may be debates between IT and the rest of management on budgeting for safeguards (the board should be IT's advocate and "nudger" on this, by the way). However, the priorities after a conventional breach are never in doubt -- assess and limit the damages and learn from the attack.

Ransomware is existentially different and goes to the heart of a board's governance and fiduciary role. Do we as a company pay a ransom demand or do we take the moral high ground and say no? Your board needs to tackle this question, with its uncomfortable blend of technology and ethics, now, before an attack. The major ransomware strains, such as Petya and WannaCry, offer a short time frame (sometimes as little as 24 hours) to pay up or face the consequences. Convening a board meeting that quickly to deal with a flash crisis would be both impractical and unwise. Further, the actual ransom itself can be oddly small. Would you really convene an emergency board session to discuss expending $1,000?

Real-world board experiences with ransomware suggests there is a better way. I've seen ransom demands first-hand at one of my boards, and spoke with Bill Lenehan, CEO at Four Corners Property Trust, who's also faced these traumas. We have observed a number of effective strategies specifically targeted at dealing with the unique threat of a ransomware attack:

Have the ethical discussion before a ransomware attack occurs. Your top executives and IT staff need guidance from the boardroom on the big question of whether or not the company should submit to a demand for ransom. The decision is not an easy one; losing business (and perhaps the business itself) by taking the moral high ground is not your call as a shareholder fiduciary. Your number one mission is to protect the business for investors. That may involve the tough decision to pay up if it will save data or needed access.

"Boards need to provide guidance and support on how this is handled," recalls Bill Lenehan. He finds laying out the issues directly to the board helps clarify their thinking. "I was talking with a 70-year old board chair, and said 'Let me throw you a curve. You're trying to close a $200 million acquisition, when suddenly, your employees get a ransomware demand for a total of $3000. If you don't pay, you jeopardize the deal, your relationship with numerous counterparties, and maybe the company itself.' The response, 'My God, I never thought of this!??'"

Hold this debate now at the board level, because when a hacker's WARNING screen pops up, it's too late for philosophy.

Shape a corporate ransomware response policy based on the ethics discussion. Take the strategic principles the board has developed for responding to ransomware attacks and turn them into a working tactical policy. Include functional steps, like who is to be notified, who makes the final payment decision, damage/cost tradeoffs to weigh, etc. Also, will you even be able to pay the crooks? It sounds distasteful, but assure that you have the mechanisms in place to quickly meet the ransom demands if you choose to.

"You don't want to be scrambling to pay, figuring out how to practically make this work," Bill Lenehan recalls from his own experience as CEO of Four Corners Property Trust. At 5:30 one morning, he received a text message from the company controller telling him there was a problem -- a short-term ransomware attack was spreading globally. "Our board chairman was out of the country, hours behind us, so what do I do as CEO? Would I pay, or not pay, do I need to inform my board, or just hurry to set up a Bitcoin account?"

The CEO and other staff should not have to make these decisions on the fly -- and if they do, it's the fault of the board, which didn't prepare in time. "Ransomware is not the fault of the CEO," notes Lenehan. "It's like a school snow day -- you have to set your decision policies in advance." (Lenehan also notes that his small company has a staff of 12, and is as far off the business news radar as can be -- yet hackers still found them).

No policy can mean inability to respond at all. At a major company whose board I had served on, we faced a short-term ransomware demand, and decided we had to pay. But the hackers demanded payment in Bitcoin, and the company didn't have a Bitcoin account. This took two days to set up -- by which time the deadline had passed. In the missed deadline experience I referred to, we were able to negotiate a compromise. We were ultimately able to decrypt our files.

Also, ask what you'll do if other problems crop up. In Europe, a recent Petya attack demanded payment to the bit-napper's Posteo email account. But before victims could comply, Posteo had blocked the mailbox.

Beware risks related to ransomware attacks on third-party affiliates. Ransomware is not just an internal danger. Even after you shape a sound emergency policy for your corporate response, what about the suppliers, customers and advisors you depend on? Lenehan tells of a ransomware strike, not at his company, but at a major law firm they were depending on to close a $20 million acquisition. "The lawyers got an email from IT early in the morning telling everyone not to turn on their laptops and check them in immediately." A pending deal was suddenly frozen solid.

What would happen at this very moment if one of your top vendor's or client's IT system instantly went dark for an uncertain period of time? Are they able to back up their information with systems completely walled off from the afflicted ones?

Fight hackers with unconventional warfare. Above, I noted the generic things a board can do to improve the technical odds of avoiding and fighting cyber mischief. Push IT to innovate outside its normal comfort zone. Third-party vendors like Optiv, SecureWorks, and Stroz specialize in penetration testing, 24/7 threat monitoring and ethical hacking. Your IT staff says they have the latest software updates and threat assessments? Good -- let's contract with outside experts who can make sure. The expenses involved should be modest and today are a basic cost of doing business. Want to drive a car? You need to buy insurance. Want to operate in today's digital world? Invest in outside cyber-expertise.

Check that cyber insurance coverage is adequate. Speaking of insurance, check your liability and other business policies when it comes to hacking damages and, specifically, ransomware costs. What sort of losses are covered, which aren't, how much could ransomware losses total, what compliance measures must you have in place, and what are disqualifiers? Also, how should your company decide on making a claim? (If you file a claim for a ransomware payment of $5,000, will your premiums shoot up by ten times that amount?) "If someone demands $350 in Bitcoin, it may be like when someone keys your car in a parking lot," notes Lenehan. "Rather than making a claim, you just get it detailed out on your own dime."

Ultimately, boards and management need to respond to a ransomware crisis the same way they respond to any company crisis. They must assure good response tools and plans are in place and functioning, that tough questions are asked, and that everyone knows their role. But for the board, ransomware prep demands an added step -- asking if they're ready to make a deal with the devil.

***

Betsy Atkins serves as President and Chief Executive Officer at Baja Corp, a venture capital firm, and is currently the Lead Director and Governance Chair at HD Supply. She is also on the board of directors of Schneider Electric, Cognizant, and a private company, Volvo Car Corporation, and served on the board of directors at Nasdaq LLC and as CEO and Board Chairman at Clear Standards.

Bill Lenehan is the Chief Executive Officer of Four Corners Property Trust, a real estate investment trust that owns over 500 restaurant properties. He is also on the board of directors of Macy's, the department store company. Prior experience includes board service at Darden Restaurants and Gramercy Property Trust, among others. He spent ten years as an investor at Farallon Capital Management.

 

The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.