Ransomware: Would your company pay?

June 18, 2021

Would your company pay hackers who hijacked your system and held it for ransom?

Probably not?

Maybe – in certain circumstances?

This is a question that an increasing number of US companies are being required to ask themselves. In some cases, CEOs are answering yes – as we saw in the recent Colonial Pipeline breach, where the company paid $4.4 million to hackers (more than half of this has since been recovered).

If you haven’t given thought to what you would do if you found a ransom note on your monitors, you aren’t prepared. We recommend that all companies have a business continuity plan that considers cyber threats, like ransomware.

NIST’s Recommendations: Prepare for Ransomware

Prevention is always better than a cure, especially when it comes to the risk ransomware poses to the business-critical and personal data stored by your business.

Here is what the National Institute of Standards and Technology (NIST) recommends for protecting your company from the threat of ransomware:

Implement minimum cybersecurity standards

These should include:

  • Use antivirus at all times.
  • Keep your network fully patched.
  • Use security products/services that block access to known ransomware sites.
  • Use operating systems that only allow authorized applications. (These help prevent ransomware applications from running).
  • Prohibit your employees from accessing personal applications or accounts on work devices.
  • Leverage the use of permissions to ensure users only have administrative access if they need it.

You should speak with your IT team and legal counsel to ensure you’re working in line with best cybersecurity practices.

Business Continuity Planning

Your IT framework should be developed in such a way that minimizes the risk of cyber attacks, but it should also be built to minimize the disruption in the event a ransomware hack occurs.

Again, this planning should be developed with the guidance and expertise of your IT team and legal counsel.

Train Your Team.

You should consider rolling out basic staff training that reinforces cybersecurity hygiene. It’s good practice to advise staff to check that links direct to legitimate sites and to mark spam emails as spam instead of clicking links (including “unsubscribe” links) which could take staff to a malicious site . Your team should know and understand how to recognize phishing attacks and other forms of social engineering. Be sure to require periodic refresher training for your staff as well. New avenues of attack are always emerging and an alert staff can be your best protection.

Then, Develop Your Response Checklist.

Your team should understand who is responsible for taking which actions in the event of a breach. Develop key accountability roles in advance and document them, alongside actionable steps. The speed and efficiency of your response can be critical in minimizing the impact of a ransomware attack.

As an aside, when developing your response plan, US federal law enforcement agencies do not recommend paying a ransom following a breach. There is no guarantee that you will get your data back, even if you pay. Moreover, the money you pay may fund criminal activities which can violate other federal regulations and expose you to fines.

The critical elements of a ransomware playbook (as outlined by NIST) include:

  • A set of formal recovery processes.
  • A detailed log of the organizational resources required to achieve the organization’s missions (your people, facilities, technologies, and external services).
  • Functional and security dependency maps to understand the order of restoration priority.
  • A list of technology and personnel responsible for implementing recovery planning.
  • A comprehensive recovery communications plan.

Your recovery communications plan should be developed with input from legal counsel. You need to know and understand your legal obligations regarding data breach reporting and this should be reflected in your planning.

Finally, Plan For Recovery.

You should develop, stress-test, then implement an incident recovery plan. We can’t comprehensively cover ransomware recovery in this email, but you can review the NIST Recovery Guide here.

You should also contemplate measures you’ll need to take to regain the trust of your consumers following the breach. Your recovery communications plan should contemplate this, but you will need to be agile and responsive in managing the expectations of your audience as you recover.

If you need assistance determining your company’s legal obligations in the case of a ransomware attack, reach out. We’re here to help!


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you