Ransomware attacks are a legal minefield for execs. Here’s how they can prepare, according to a lawyer who advises hacked companies

Colonial Pipeline CEO Joseph Blount

Summary List Placement

Ransomware attacks — which typically force firms to shutdown their computer systems, grinding business to a halt — are a nightmare situation for companies.

And for executives, dealing with ransomware attacks can also present a legal minefield rife with potential liability, according to an expert who specializes in cybersecurity and corporate governance.

“In the types of crises these organizations face, it’s almost impossible to be aware of how the law may come to bear on making the right decision,” said Gerry Stegmaier, a partner at Reed Smith who advises companies hit with ransomware. “For officers and directors, ultimately the best play is ensuring they have the right process in place.”

There’s legal precedent for executives to be held liable for missteps, according to Stegmaier: Several recent court opinions found that, under a 1996 ruling known as Caremark, execs are accountable for mishandling cybersecurity incidents.

Ransomware attacks have spiked, with US companies of all sizes being hit with increasing frequency. In recent months, ransomware attacks shut down the largest petroleum pipeline in the country, one of America’s largest beef producers, and thousands of other businesses across the world.

After being hit with a ransomware attack, executives face a series of tough decisions, including whether to pay the ransom, how quickly to notify customers and the public about the attack, and whether to keep attempting to do business without access to disabled systems and data.

Execs should have a ransomware process planned out so they don’t have to decide whether to pay in the heat of the moment

  Surging iPhone sales help Apple overcome global supply chain shortages (AAPL)

One of the most urgent decisions executives Stegmaier works with face is whether to pay the ransom demanded by cybercriminals in order to regain access to stolen data and systems. Several recent high-profile ransomware victims did opt to pay the ransom — including Colonial Pipeline’s $5 million payment — but some experts have called for a freeze on payments to cut off funding to ransomware groups.

Stegmaier said that, based on his conversations with security professionals, there’s not a clear-cut answer on whether or not to pay.

“Invariably there’s tremendous pressure to negotiate with the kidnappers,” Stegmaier said. “Ransomware is a lot like death and taxes. It’s highly likely that all of us will encounter it and that one way or another we’ll have to pay.”

Instead, Stegmaier advises executives to outline clear plans ahead of time that they can follow in the event of an attack. He recommends using principles published by the National Association of Corporate Directors as a guide, which include prioritizing cybersecurity enterprise-wide instead of solely as an IT issue, studying the laws around data theft, engaging experts, and making specific contingency plans for various attack scenarios.

“My philosophy is that there are no good and bad decisions, but there are good and bad processes,” Stegmaier said.

Finally, Stegmaier says executives should be as forthcoming as possible with investors, board members, customers, and the general public during and after an attack — both because it helps maintain trust and because …read more

Source:: Businessinsider – Tech


(Visited 4 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *