By Marshall L. Miller and Adam Sowlati

Ransomware attacks render an organization’s Information Technology systems inoperable or its data inaccessible, unless and until a ransom is paid. According to the FBI, since 2016, an average of 4,000 ransomware attacks have occurred daily, causing over $1 billion in damages annually. And ransomware is reportedly (PDF: 281 KB) growing in sophistication and increasingly targeting organizations. For example, 23 municipalities in Texas were struck last week in a coordinated attack. Companies would be well served by engaging in advance ransomware preparation.

Before an attack, companies should consider prophylactic preparatory steps, such as implementing reliable processes that back up IT systems and critical data to reduce ransomware exposure, securing cyber liability insurance to cover costs associated with significant ransomware incidents, and implementing incident response plans that include effective elevation procedures and account for the unique challenges of a ransomware attack. Fostering pre-attack relationships with law enforcement can also pay dividends, providing swift access to resources, intelligence, and experience to assist investigation and remediation.

In the event of an attack, companies should protect response efforts with the attorney-client privilege by assigning legal counsel a leadership response role and engaging forensic, technical, and other necessary advisers through counsel. Companies should carefully assess potential legal disclosure obligations, including breach notification and data privacy laws at the state (PDF: 90.8 KB) and international (PDF: 146 KB) levels, the SEC’s 2018 Cybersecurity Disclosure Guidance (PDF:33.6 KB), and any applicable industry-specific regulatory notice requirements. Insurers may need to be notified promptly, and companies may have contractual obligations to vendors or customers to disclose cyber incidents that impact their data or systems.

The decision whether to pay a ransom should be approached with great caution and careful deliberation. Though the FBI discourages such payments, federal law does not generally prohibit them. Before paying a ransom, consideration should be given as to whether a payment is likely to prove effective or would open the company up to additional risks; reasonable steps should also be taken to ensure that the ransom recipient is not the subject of sanctions. Ultimately, any ransom payment should be made only after thoughtful cost-benefit analysis at the executive management level, informed by the input of legal counsel.

Marshall L. Miller is of counsel, and Adam Sowlati is an associate at Wachtell, Lipton, Rosen & Katz.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.