Get Your House in Order: Four Steps to Take Now to Prepare for Ransomware

Share on Facebook Share on X Share on LinkedIn Share via Email Download PDF

August 09, 2021

With ransomware attacks surging, companies should evaluate their cybersecurity posture and harden their defenses. This could include working with a third-party security firm to audit the company's security and then follow-up work to address any high-priority gaps. Apart from working with a security firm, there are myriad resources that could be consulted for this work, including the federal government's recently released website: StopRansomware.gov.

The work described above may help a company avoid becoming a victim in the first place. Of course, that is the best position for a company to be in. However, given the sophistication of attackers, this client alert highlights four other steps that can be taken now to help a company respond quickly and effectively should it nonetheless fall prey to a ransomware attack.

Know your data and where it resides.

Commonly referred to as "data mapping," this process involves understanding the company's data, the sensitivity of that data, and where it is stored. For example, does the company know on which servers it houses sensitive information regarding its customers? How about its employees? How about its contract partners? Is that data backed up and, if so, is the backup stored offline and separated from the main systems? In our experience, companies that have a handle on this information are better positioned to respond to a ransomware attack than companies that do not. For example, assume an attacker claims to have taken sensitive data from a specified server on a company's system. If the company knows that the particular server does not in fact house sensitive data, the company is in a better position to evaluate its bargaining position with the attacker and respond accordingly. That many state privacy laws also require a company to know the location and uses of its personal data is all the more reason to undertake a data mapping exercise now.

Develop an incident response plan, test it, and keep it updated.

An incident response plan is the company's "playbook" in the event of a ransomware attack or other cyber incident. The plan should list the team that will respond in the event of an attack (with updated contact information); the team members' respective roles and responsibilities; triage and escalation rules depending on the severity of the attack; and contact information for insurers, counsel, forensic advisers, and public relations professionals. Once the plan is drafted, the company should test it so that everyone is familiar with the plan and ready to act. The plan should be kept up to date, ideally through an annual revision process.

Develop contacts with law enforcement.

A company's counsel or internal security professionals may have relationships with the FBI, Secret Service, or local law enforcement, which should be fostered during "peacetime" to strengthen the company's crisis posture. As former federal cyber prosecutors, we have seen these relationships pay dividends in responding to an attack and even recover assets. The time to develop those relationships is before the company suffers an attack.

Evaluate your insurance program and work with your broker to address any gaps.

Depending on the incident, several insurance policies could be relevant, including cyber and fidelity/crime. Having a robust insurance program is helpful not only for the coverage it may provide but also because the underwriting process may itself help the company assess its cybersecurity posture and address any shortcomings. Also, many cyber policies provide access to or discounts on preferred advisers, including experienced outside counsel, forensic investigators, and public relations professionals, and it is important to understand these benefits before the compressed time frame of a ransomware attack or other cyber incident. If your usual broker contact is not conversant in cybersecurity insurance and its coverage options, request that your contact involve a cyber-product specialist within the brokerage, or consider working with a different insurance broker. Cybersecurity insurance plays a central role in mitigating the impacts of ransomware, and as a result, understanding its features is critical.

As recent events have shown, it may not be possible to eliminate all risk of a ransomware attack. But taking the steps outlined above should help companies ready themselves to respond to such an attack.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.