Ransomware and the C-suite: Insights from a legal expert

Ransomware has been a leading cyber threat that enterprises have had to grapple with for years, but since the start of the global pandemic its impact has reached unprecedented heights. On average, as many as 4,000 ransomware attacks have occurred daily since January 1, 2016. Once the pandemic began, organizations had to quickly adapt to enable distributed workforces, which led to accelerated digital transformation initiatives that drastically expanded attack surfaces in organizations across industries.

Since then, the ransomware threat has only grown. The primary vector of attack — malicious emails — has skyrocketed, ransom requests have grown from $5,000 in 2018 to $200,000 on average in 2020, and targets have only grown, making ransomware a kitchen table issue and getting the attention of executive leadership within enterprises in addition to the highest levels of government. This has led to more than 85 percent of corporate boards becoming more engaged in cybersecurity than they were two years ago, according to an ESG global study.

We recently discussed the headline-grabbing ransomware wave with David Kantrowitz, Counsel at Goodwin. Kantrowitz is an active member of the firm’s Complex Litigation & Dispute Resolution practice and a member of its Data, Privacy and Cybersecurity practice, in addition to the Financial Industry group.

During our interview, he shared his thoughts on how and why ransomware is getting the attention of executive leadership, the legality of ransomware payments, and how cybersecurity leaders should further educate the C-suite and board members on the topic.

[The responses should not be construed as legal advice given the facts of your specific situation have not been considered. If you have a specific situation in which you need advice, please reach out to Goodwin Procter and they can connect you with the right attorney.]

Question: From your point of view as a legal expert and seasoned professional when it comes to this topic, can you share where we stand today when it comes to ransomware?

David Kantrowitz (DK): It feels like we’re at an inflection point. The activity was extremely hot in the winter and spring. There were unprecedented supply chain attacks and attacks on critical infrastructure. Ransomware reached the highest levels of government, which is not something that we have ever really seen before. It has never been more risky for the bad actors who do this kind of work. Some notable groups have shuttered or gone dark. So we’re at a point where the bad guys are deciding if they’re going to continue to do this and risk the government coming down on them, quit, or regroup and reconstitute in different ways. The next wave of ransomware won’t look like the prior wave.

Question: Every time there’s a new wave of ransomware, it seems to continue to climb the ranks within organizations–and now even government — in terms of the level of attention it receives. What kind of impact did the recent wave have in terms of receiving attention?

DK: It has certainly reached the highest levels within companies and within government. The FBI is now interested in ransomware in a way that we haven’t seen before. Companies are rightfully focused on preparation. Everyone is concerned about being the next victim. They’re thinking not only about taking adequate security precautions, but just as importantly with about how to respond if a successful attack takes place.

Question: How has ransomware-as-a-service changed the threat landscape?

DK: It means that the barrier to entry is a lot lower than it used to be. We are now dealing with a lot of actors who may not be as sophisticated as the people that designed the ransomware itself. It makes it more unpredictable because different groups have different incentives. Some do double extortion, meaning they not only encrypt your system, but they also take data and threaten to release it on the dark web. Others don’t take data at all. It is unpredictable and difficult to defend against.

Question: What are organizations doing wrong today when it comes to ransomware?

DK: Ransomware is really a structural problem and while security measures can always be improved, victims aren’t doing anything “wrong” per se. There are really two types of attacks. Some are almost impossible to defend against — these are supply chain attacks. They come in through vendors or software. These are more sophisticated and at so high a level that they can be almost impossible to stop. Then there is ransomware that comes through phishing or other existing vulnerabilities. Many ransomware attacks fall into this category. While it’s impossible to protect against that 100 percent of the time, taking certain simple preventative measures can certainly make you less vulnerable. This is what companies should really focus on in terms of prevention.

Question: You mentioned double extortion. Should organizations assume that data's been exfiltrated in any instance where ransomware successfully compromised a network?

DK: You shouldn’t assume anything until you investigate it. Unwarranted assumptions can be very costly and damaging to your reputation and it’s difficult to regain trust after sharing inaccurate information. While data exfiltration with ransomware is more common than it once was, we still see cases where there is ransomware and yet no exfiltration of data. Some ransomware variants do not have the technical capability to exfiltrate data.  

Question: Should organizations pay when it comes down to the ransom associated with this attack? Will the legality involving ransomware payments evolve over time? 

DK: It’s a very difficult question. It’s hard to argue with the idea that if nobody paid, we’d all be better off. But it’s very different to sit here and talk about hypotheticals versus when your company is shut down and you’re going to lose potentially tens or hundreds of thousands of dollars a day if you can’t operate. Ultimately the business must make that decision that based on their particular circumstances, taking into account the cost to the business if it can’t operate in full or in part and the availability and quality of their backups.

In terms of the legality, while there is no per se prohibition on paying ransoms, companies should always make sure the payment does not have a sanctions nexus, potentially running afoul of Office of Foreign Assets Control (OFAC) regulations.

While there is some talk about making ransom payments illegal altogether, I think that is unlikely. Many companies would still make the choice to pay if their business depended on it, but instead of cooperating with the FBI, would keep the facts of the ransomware and the incident hidden, potentially hindering the government’s investigations. However, I do think there’s a very real possibility that we will see new mandatory reporting requirements. Most companies already report ransomware to law enforcement, but not necessarily the details of the payment. Mandatory reporting would change that.

Question: When did ransomware start becoming a C-suite and boardroom issue? 

DK: I think it already started getting attention in the last couple of years, especially in the last year and a half. But the Colonial Pipeline attack really took it to a new level, with people lining up for gas in states that were reliant on that pipeline. That image of it affecting day-to-day people is something that we didn’t have before. So it has not only reached the C-suite and boardroom — it has reached the living room.

Question: What would you say is the best way to educate executive leadership and board members on this topic?  

DK: I think it’s important to bring home what a ransomware event would do to their company. Creating a tabletop exercise or scenario that illustrates the impact that it would have on their customers and other stakeholders. You don’t have to be a technical wizard to understand how damaging that is. I think that by talking through it in practical terms and walking through the various decision points — most executives are very interested in that. We’re seeing more of that planning than we did two years ago.

Question: Boards of directors have committees for different areas within the business. Do you recommend making ransomware its own committee? Should it be a topic that’s covered regularly as part of other committees?

DK: I don’t think there needs to be a committee that focuses solely on ransomware, but there should be regular discussions on cybersecurity issues, of which ransomware should be a part. Those discussions should be documented in the minutes, so it shows that the board is taking these issues seriously. That protects the board as well and shows that they are doing their due diligence, they are thinking about these issues, and they are fulfilling their fiduciary duties to the company and shareholders.

Question: There are quite a few lawsuits currently in process as it relates to ransomware. Do you think organizations will see more of that in the future and is this something that executive leadership needs to consider when it comes to future investments in cybersecurity?

DK: It’s certainly one consideration. How likely a lawsuit will be depends on a number of factors, such as the nature of the customer or investor base and how likely they are to sue. What is the breakdown between personal data and business data? What’s the nature of the data that could be exfiltrated and how damaging could it be? Every company’s risk profile is different.