By Jeff Kuhn
In April 2021 my partner at FLG, Fuad Ahmad, wrote a post titled Managing Cybersecurity Risk: The Role of the CFO. His key points remain timely and highly relevant today. In this post I want to address perhaps the most pernicious, rapidly growing, and dangerous threat to Cybersecurity today: Ransomware.
What is Ransomware?
Ransomware refers to a type of cyber breach in which a bad actor (hostile state, cybercriminal gang, or individual) gains access to your corporate data, encrypts it (thus rendering it unusable by you), and then demands a ransom to unencrypt it, promising to decrypt it and return it to your use after the ransom has been paid.
Perhaps the most infamous instance of ransomware was Sony’s 2014 breach by North Korean operatives at an estimated cost to the company of $1.25 Billion. Since then, ransomware attacks have spread at an alarming and nearly exponential rate through corporate enterprises. Cybersecurity Ventures estimates that global ransomware costs in 2021 were $20 Billion, 57 times the cost in 2015. On November 17, 2022 the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint alert about the infamous Hive ransomware gang, which has extorted upwards of $100 Million in ransom payments from over 1,300 victims since the gang was first observed in June 2021.
Here are more data points from the 2022 IBM “Cost of a Data Breach” report, which analyzed input from 550 organizations affected by data breaches that occurred between March 2021 and March 2022 across 17 countries and regions and in 17 different industries:
- 83% of organizations surveyed had more than one breach.
- The average cost of a ransomware attack in 2022 was $4.5 Million, exclusive of the ransom paid.
- The average time to identify a ransomware attack was 237 days, and another 89 days to contain it, for a total of 326 days.
- Breach costs were about $1 Million higher where remote workers were a factor vs. when remote work wasn’t.
Source: Tripwire: IBM Cost of a Data Breach Report, August 2022
There are many other ransomware statistics available from a wide variety of sources, from Gartner Inc. to cybersecurity solution vendors, but the message should be crystal clear: a ransomware breach is a risk that Boards of Directors and CFOs ignore or treat casually at their peril.
The Hidden Costs of Ransomware Attacks
In addition to the direct costs of the ransom paid to bad actors, there are significant hidden costs of ransomware attacks:
- Company Downtime. Sony was effectively off-line and computerless for months. The average downtime caused by a ransomware attack in Q2’21 was more than 3 weeks (source: Coveware). Imagine your enterprise being computerless for multiple weeks and having to run your business with paper and calculators.
- People Time. Your IT staff will be completely consumed with backup restoration and system and server security upgrades, and your financial and legal staff will be consumed with ransom negotiation, potential and evolving lawsuits, and so on.
- Legal Defense and Settlements. Expect to hear from the attorneys of your customers, with inevitable settlement costs, from class-action lawsuits in particular. Also, if your data contains consumer information like email addresses and credit card information, you will be paying for notification of the breach to those consumers and monitoring their credit reports for many months.
- Theft of Critical Technology and Strategic Plans. In order to encrypt your data the bad actors had to have access to it, so you should assume they now possess it.
- Reputational Damage and Lost Business. Ransomware attacks can be business destroyers, and you will fall under critical observation and judgement of your customers, suppliers, regulators, and employees.
Should Your Company Pay the Ransom?
Whether or not your company decides to pay ransom is a complex decision for a CEO and board.
A recent Gartner review notes the following considerations for companies considering doing this:
- On average, only 65% of the data is recovered, and only 8% of organizations manage to recover all their data.
- Encrypted files are often unrecoverable. Attacker-provided decrypters may crash or fail. You may need to build a new decryption tool by extracting keys from the tool the attacker provides.
- Recovering data can take several weeks, particularly if a large amount of it has been encrypted.
- There is no guarantee that the hackers will delete the stolen data. They could sell or disclose the information later if it has value.
Law enforcement agencies often recommend against paying a ransom, and in some jurisdictions ransom payment may even be illegal.
What about Cyber Insurance?
Very much like Directors’ and Officers’ Insurance, Cyber Insurance is expensive and getting rapidly more so, both in terms of outright premium cost as well as higher retentions (think of them as deductibles). Insurers have experienced soaring losses as ransomware breaches have proliferated. Also, insurers will want concrete evidence that your cybersecurity protocols are robust and current before issuing a policy. Cyber liability insurance is particularly key for companies storing personal data (social security numbers, phone, credit card numbers and HIPPA data).
There are two levels of coverage: first-party and third-party. With first-party coverage, the policy will cover part or all of the ransom. Third-party liability coverage covers legal fees and judgments in cases where customers sue your business for damages caused by a ransomware or cyberattack.
Protecting Against Ransomware Attacks: What Should a CFO Do?
Here are 10 tips for Chief Financial Officers when it comes to mitigating risks around ransomware:
- Obviously, make sure you’re backing up your data every day, but don’t just rely on synchronized real-time cloud-based backups because as soon as your online data is infected or encrypted so will be your cloud backups. You must be backing up your data in isolated “chunks” so that each stands on its own. Ask yourself how far back your most recent “clean” full backup is, and how many versions of them you have. This is important because recent backups may be infected with “sleeping” malware waiting to be activated later.
- Has your IT team rehearsed a full backup restore and tested it? How long will this take? Do this regularly.
- Critically examine your entire IT environment and staff skill levels and be prepared to allocate funds to bring your cyber defense systems and staff up to the highest industry standards.
- Obtain cyber insurance, consumer notification cost, and ransomware insurance policies (they are often distinct from one another).
- Schedule regular cyber briefings with your Audit Committee or Risk Committee, as appropriate. You will need their support for the additional budget necessary to fund investments.
- Form an Incident Response Team (IRT) now that can jump into action immediately if an attack occurs. Once an attack happens you will have no time to pull this team together. Have that IRT rehearse with so-called “tabletop” exercises quarterly.
- Identify and retain a crisis response communications firm now to help you form cohesive, clear, forthright communications in the event of an attack. As with the previous, once an attack happens you have no time to identify and retain this resource.
- Appoint a designated spokesperson for all external communications in the event of an attack. This person should be the only person speaking for the company.
- If an attack happens, over-correct and over-communicate. Publicly acknowledge the attack, be completely forthright about it, and overdeliver on your company’s response and solutions.
- Identify and engage a partner with AI-automated security controls and real-time threat analyses (known as Extended Detection and Response, or XDR) from providers like Anomali or its comparables.
If you need advice about mitigating cybersecurity risks, get in touch. Our partners at FLG are standing by to advise your C-suite and board Audit or Risk Committee.