Ransomware, incident response, and the board

August 2021

Recent months have seen a surge of ransomware attacks, in which attackers extort substantial sums from organizations by making critical data inaccessible or threatening to expose it. The attacks against Colonial Pipeline, JBS, and Apple, among others, demonstrated the gravity of the threat and prompted a renewed focus on cybersecurity by both government authorities and private-sector organizations. Since experts believe that ransomware breaches are iinevitable, even for companies with sophisticated strategies to prevent them, minimizing the impact of these attacks involves a range of issues: Should the ransom be paid or not? How can that decision be made and implemented responsibly and effectively? What should be communicated to investors, regulators, and other stakeholders? How should the board be involved?

On June 28, members of the Audit Committee Leadership Network (ACLN) met virtually to discuss the challenges of ransomware and incident response with three guest experts: Orion Hindawi, CEO of Tanium, a cybersecurity software and services company; Chuck Seets, Americas assurance cybersecurity leader at EY; and Phyllis Sumner, partner and chief privacy officer at the law firm of King & Spalding.