Held (Up) for Ransom

As ransomware attacks grow and firms are forced to pay off hackers, more boards are being left out of the equation.  

The message appeared on the IT manager’s screen. A hacker group had infiltrated the company’s systems and taken control of its network. They wanted $20 million to return the data and not publish it on the dark web—and they wanted it within the next 24 hours. The IT manager alerted his boss, setting off a chain reaction of frantic messages between the company’s general counsel and the C-suite. Together, they determined that the threat was legitimate and that the ransom was cheaper than the cost of having the data exposed, so they quickly wired over the money.  


It wasn’t until after the ransom had been paid that anyone thought to alert the board. In the frenzy of the moment, against the pressure of the clock, the C-suite had simply acted.  


Is that common? With ransomware attacks growing both in size and sophistication, a small but surprising number of firms have apparently been responding without alerting their boards in advance. Firms’ leaders say the pressure of these attacks compels rapid decision-making. That creates difficulties for boards, which are ostensibly tasked with final authority over financial impacts and liability. “The consequences of the outcome could fall on their plate.” says Craig Stephenson, managing director of the North American CIO/CTO practice at Korn Ferry.  


The proliferation of ransomware attacks has left organizations scrambling for help. Today, hacker groups—equal in size and sophistication to any S&P 500 company—are operating in pretty much every country around the world. Over the last two years alone, there have been more than 1.1 billion attacks costing corporations $1.2 billion. Casey Cegielski, Woodruff Professor of Information Systems at Auburn University’s Harbert College of Business, says there’s a simple reason these attacks are increasing: corporations are easy targets. Roughly 95% of all ransomware attacks against corporations are settled with a payment. “Most companies that are attacked panic and pay to make it go away as quickly as possible,” says Cegielski. He notes that firms tend to assume the cost of the ransom will be covered by cybersecurity insurance.  


But that strategy could get expensive. While the average payment to settle a ransomware attack now hovers at around $260,000, hackers have been able to successfully extract millions and, in some cases, tens of millions of dollars from large global organizations—figures large enough to raise questions about cybersecurity oversight at the board level, say experts. One way hackers have been able to extort more money from companies, for instance, is through a practice known as “double extortion,” whereby they not only restrict access to a company’s networks but also extract data to sell to the highest bidder. According to one report, hackers in extraction attacks demand ransoms up to five times higher.


“It’s not about giving data back to the company,” says Dima Rabadi, assistant professor of cybersecurity at Penn State University. “Now it’s about not giving data to someone else.” Double extortion is rampant in data-sensitive businesses like financial services, health care, and aerospace and defense, for example, where the publishing of the data would be severely damaging to brand reputation and consumer trust.  


The rise in ransomware in general, and double extortion in particular, is partly responsible for the SEC proposing new rules to help better protect investors from disruptive and expensive attacks. These would require boards to disclose details of their knowledge, expertise, and approach to cyber oversight. Generally, boards have become more proactive; for instance, some have created crisis-response teams to maintain internal communication in the event of an attack, says Alan Guarino, vice chairman in the CEO and Board Services practice at Korn Ferry. Guarino says that, at a minimum, the company’s board chair or lead director should be notified of any ransomware attack and regularly updated.  


“Cyber incidents should be treated no differently than if a warehouse or other physical asset was attacked,” he says. Moreover, with ransom demands reaching into the tens and sometimes hundreds of millions of dollars, Guarino suggests boards consider a policy, based on the size of the company, stipulating the amount management is authorized to pay in a ransomware attack before board approval is required.


A recent Korn Ferry report also found that more boards are forming tech committees to address concerns around the governance of security, as well as matters having to do with such issues as artificial intelligence and data privacy. Boards are also tapping outside experts for guidance, among them companies like Arete, Coveware, and CyberSecOp, that specialize in ransomware negotiations. These experts offer their counsel during the unfolding of an attack and, if needed, will deal directly with the hackers, says Bob Irwin, a senior client partner in the CEO Succession practice at Korn Ferry.


Even as companies cut costs, Stephenson says boards must ensure leaders continue to invest in cybersecurity. They should be regularly updated on the measures firms are taking to thwart attacks. He points to data loss and network-prevention solutions as areas of focus. “When it comes to ransomware, it is up to management to resolve the situation,” he says, “but the board has to be involved in the process.”  


For more information, contact Korn Ferry’s Board and CEO Services practice.