Ransomware and cyber-incident response

July 2021

Recent months have seen a surge of ransomware attacks, in which attackers extort money from organizations by making critical data inaccessible and/or threatening to expose it. The attacks against Colonial Pipeline, the Irish healthcare system, and AXA, among others, demonstrated the gravity of the threat, prompting a renewed focus on cybersecurity by both government authorities and private-sector organizations. Since experts believe that ransomware breaches are inevitable, even for companies with sophisticated strategies to prevent them, minimizing the impact of these attacks must address a range of issues: Should the ransom be paid or not? How can that decision be made and implemented responsibly and effectively? What should be communicated to investors, regulators, and other stakeholders? How should the board be involved?

On June 3, members of the European Audit Committee Leadership Network (EACLN) met virtually to discuss the challenges of responding to ransomware attacks with two guest experts: Mike Maddison, EY EMEIA consulting cybersecurity leader, and Phyllis Sumner, partner and chief privacy officer at the law firm of King & Spalding.