The surge in ransomware over the past year has led corporate boards to take a much more active role in overseeing cybersecurity issues, according to an expert panel speaking Tuesday at the Rubrik Data Security Summit. Major enterprises are facing heightened risks of data breaches, reputational risk and millions of dollars in ransom payments, legal costs, and lost productivity.
Companies that previously had policies to never negotiate a ransom, now see negotiating a payment as a 50/50 proposition in order to maintain business continuity, according to the panel.
In the energy space, a ransomware attack in May forced Colonial Pipeline to shut down the largest refined products pipeline system in the United States. The company made a payment of the roughly $4.4 million in bitcoin ransom to aid a swift recovery.
As the risk of a ransom increases, corporate boards are no longer rubber-stamping assurances from chief information and security executives but are bringing in outside experts, asking more probing questions and preparing themselves against the risk of personal liability.
Companies are also facing a crackdown by insurance companies, as payouts from ransomware attacks push the limits of sustainability. In some cases, insurance firms are raising premiums, reducing or eliminating coverage and forcing companies to get pre-approval to make sure an insurance company will reimburse them, according to Ron Plesco, a partner at DLA Piper.
In prior years, corporate boards usually pushed issues like ransomware preparation down to top executives, so the chief executive and general counsel would talk to CIOs and CISOs directly, but the rise in ransomware has changed that equation, according to Plesco.
"Now they're understanding they want to be informed, one because they have to know 'do we have this'," Plesco said. "If something happened tomorrow — are we good at XYZ Corporation, whatever that corporation is."
In addition, corporate boards and C-level executives are asking for incident runbooks that map out what potential issues top executives and directors will need to respond to in case of a ransomware attack.
In the past, most companies had runbooks for security operations centers that outlined how they game plan against an attack, but now the incident response questions go to the highest levels of the company to answer questions about whether to negotiate a ransom payment, he said.
Underwriting rewrite
The surge in ransomware and other high profile data breaches over the past two years has led to major changes in how insurance companies underwrite policies for cybersecurity incidents, Plesco said. For example, Plesco has recently encountered companies being forced to seek pre-approval from insurance companies to determine whether an insurance company would reimburse them on a claim.
Insurance companies are also running into legal issues over whether they can make a payout to an entity under the Office of Foreign Assets Control, which is a U.S. Treasury Department office that regulates money-laundering and foreign sanctions.
Insurance companies are putting more direct scrutiny on companies by asking tougher questions regarding existing cybersecurity practices, according to JP Calderon, senior vice president and CISO at PVH Corp.
In the past insurance companies did not always ask the proper questions or ask questions in the right way about issues like the use of multifactor authentication or data backups, according to Calderon. Now insurance companies are realizing there may be trust and transparency issues over how companies respond to underwriting questions and in some cases are contemplating a certification process to make sure companies are being honest and truthful in their responses.
"They're losing the battle right now, and they've got to find out the right risk reward for these claims," Calderon said.
