Responding to Ransomware Can Land Execs in Legal Hot Water: Expert | #malware | #ransomware


  • A wave of ransomware attacks has rocked businesses in the past year with increasing frequency.
  • Responding can be a legal balancing act for execs, according to a lawyer who advises victims.
  • Gerry Stegmaier told Insider how he coaches companies to deal with ransomware.

Ransomware attacks — which typically force firms to shutdown their computer systems, grinding business to a halt — are a nightmare situation for companies.

And for executives, dealing with

ransomware
attacks can also present a legal minefield rife with potential liability, according to an expert who specializes in cybersecurity and corporate governance.

“In the types of crises these organizations face, it’s almost impossible to be aware of how the law may come to bear on making the right decision,” said Gerry Stegmaier, a partner at Reed Smith who advises companies hit with ransomware. “For officers and directors, ultimately the best play is ensuring they have the right process in place.”

There’s legal precedent for executives to be held liable for missteps, according to Stegmaier: Several recent court opinions suggest that, under a 1996 ruling known as Caremark, execs could be accountable for mishandling cybersecurity incidents.

Ransomware attacks have spiked, with US companies of all sizes being hit with increasing frequency. In recent months, ransomware attacks shut down the largest petroleum pipeline in the country, one of America’s largest beef producers, and thousands of other businesses across the world.

After being hit with a ransomware attack, executives face a series of tough decisions, including whether to pay the ransom, how quickly to notify customers and the public about the attack, and whether to keep attempting to do business without access to disabled systems and data.

Execs should have a ransomware process planned out so they don’t have to decide whether to pay in the heat of the moment

One of the most urgent decisions executives Stegmaier works with face is whether to pay the ransom demanded by cybercriminals in order to regain access to stolen data and systems. Several recent high-profile ransomware victims did opt to pay the ransom — including Colonial Pipeline’s $5 million payment — but some experts have called for a freeze on payments to cut off funding to ransomware groups.

Stegmaier said that, based on his conversations with security professionals, there’s not a clear-cut answer on whether or not to pay.

“Invariably there’s tremendous pressure to negotiate with the kidnappers,” Stegmaier said. “Ransomware is a lot like death and taxes. It’s highly likely that all of us will encounter it and that one way or another we’ll have to pay.”

Instead, Stegmaier advises executives to outline clear plans ahead of time that they can follow in the event of an attack. He recommends using principles published by the National Association of Corporate Directors as a guide, which include prioritizing cybersecurity enterprise-wide instead of solely as an IT issue, studying the laws around data theft, engaging experts, and making specific contingency plans for various attack scenarios.

“My philosophy is that there are no good and bad decisions, but there are good and bad processes,” Stegmaier said.

Finally, Stegmaier says executives should be as forthcoming as possible with investors, board members, customers, and the general public during and after an attack — both because it helps maintain trust and because all 50 states have enacted laws requiring companies to notify people if their data is stolen.

“In many cyber incidents, you only have one opportunity to lose your credibility,” he said. “Telling the truth is always critically important.”



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

− 2 = one