Ransomware Readiness from a Legal Team’s Perspective
Ransomware attacks are typically an unexpected and unwelcomed shock. Common emotions can include confusion, panic and stress, particularly if the organisation doesn’t have a well-rehearsed incident response plan in place.
When an attack happens there is only a narrow window to act and take control of the situation. So, the longer it takes to detect and then transition from shock into response, the greater the opportunity for the attacker to cause the maximum damage.
Advanced preparedness and having a rehearsed and tested ransomware specific playbook can help cut through this initial anxiety and speed up your response and recovery.
Adarma’s General Counsel, Scott Connarty understands the value of preparedness in advance of an attack. In a previous role, before he joined Adarma, Scott experienced what is every General Counsel’s worst nightmare – a devastating ransomware attack.
Over the course of the attack, the cyber criminals exfiltrated a significant amount of data and locked the organisation’s systems grinding normal operations to a halt. The hackers wanted payment to unlock the system. In an attempt to force the company to pay, the ransom the criminals leaked portions of the exfiltrated data online.
From when the intrusion was first detected, through to full recovery, Scott was at the forefront of the cyber frontline responding to events as they unfolded.
1 – You’re only as good as your lowest level of cyber security resilience
“We had 36 offices around the globe operating on different internal processes, procedures, IT configurations and operating systems. It was therefore unfortunately extremely easy for someone to come in and exploit our IT environment. We set about fixing it but we couldn’t stop it fast enough.
“Because of these vulnerabilities, the attackers managed to run a power shell script across our entire environment, which meant they could access different online computers around our IT infrastructure and drop their ransomware payload across the globe. They then exfiltrated our data to an external source, whilst bricking our systems.”
“Our whole executive team had to be immediately taken offline to respond to the crisis as the investigation into the incident and ensuring we complied with our regulatory and contractual obligations was all encompassing.”
In this instance the company was able to recover its systems without paying the ransom, but this experience highlighted 4 things all legal teams should consider in advance of an attack. While Scott admits this was an extremely trying and stressful time, he says he learnt 4 valuable lessons from this experience which form the basis of this article, in which he provides his perspective on how legal teams can prepare to handle a ransomware attack.
2 – Understand your legal obligations
You should examine all your existing contracts to understand what your contractual data breach notification obligations are to customers and partners. If you have clients that operate in highly regulated industries, such as financial services, there are likely to be contractual obligations to notify them of an IT security incident or a data breach within a certain timeframe. Failure to meet these obligations could lead to a material breach of contract, subsequent contractual damages, litigation, and termination of the contractual relationship. It’s better to have all this information readily available because the last thing you will have capacity for in a crisis, such as a ransomware attack, is reviewing contractual obligations in numerous contracts in the required detail.
3 – Have a coordinated communication plan already in place
A ransomware attack can do severe damage to an organisation’s reputation if poorly handled. If you are caught off-guard by an attack and have no communication strategy in place it can exacerbate the reputational damage to the organisation. A well-managed communications plan can help get the right message to the right people at the right time.
Although you may need to adapt that strategy and message depending on the circumstance, having a solid foundation of how you will coordinate, communicate, and engage both internally and externally can save you time, money, stress, and negative publicity and critically provide you with more time to deal with the situation.
4 – Decide whether or not you would pay a ransom in an attack
Deciding whether to pay a ransom is an extremely difficult decision and one which should be made carefully at Board level following discussions with various stakeholders including legal counsel, cyber insurers, law enforcement and cyber security experts. Ideally, this should be discussed ahead of time, as part of your incident readiness preparations.
Theoretically, if an organisation pays a ransom the attackers should provide a decryption key and withdraw the threat to publish any exfiltrated data.
For many organisations paying the ransom is a simple choice as it represents the path of least resistance and may turn out to be less costly than paying external advisors to assist and being unable to trade normally for a sustained period. However, there is no guarantee that payment of a ransom will result in the provision of a decryption key from the attackers and whether all affected data will be restored.
We should also consider that paying a ransom could be directly funding terrorism or organised crime.
Organisations should be mindful that it is unlawful to make payment to terrorist organisations or prescribed groups in breach of international sanctions.
In preparing your incident response plan the board should weigh up the moral implications of paying a ransom and understand their appetite to engage with attackers in an attack scenario.