Ransomware attack: how to prepare for the worst-case scenario

Home
Solutions

Technology
Powering the future of wealth with enterprise platform solutions that address complex business challenges

Operations
Achieving operational excellence with business process outsourcing and data management that help clients improve efficiency and performance

Asset management
Connecting investors to what matters most, so they can achieve their goals and make confident decisions

Featured
Insights

Corporate insights
Perspectives and happenings from our leaders and experts

Newsroom
The latest news and announcements

Featured
Investor relations

Overview
The latest financial information for shareholders

Events and webcasts
Timely shareholder announcements and event information

Governance

Reports and filings

Stock information

Board diversity matrix

Featured
Discover SEI ^®

Our story
Who we are, what we do, and how we do it.

Our commitment
Building brave futures through the power of connection.

Our leadership team

Newsroom

Careers

Featured

March 13, 2023

4 MIN READ

Ransomware continues to increase in both number of attacks annually¹and in their complexity, so if your organization hasn’t been impacted by ransomware yet, it is likely only a matter of time. The FBI received nearly 4000 alerts² of ransomware attacks in 2021, with financial services, healthcare, education and government entities most likely to fall victim.

The good news is that organizations are wising up and following the advice of law enforcement to not pay the ransom. But even though overall payments dropped³ from $765 million in 2021 to $456 million in 2022, companies are still handing over the money to recover their data. If they can recover their data, as more cybercriminals are taking the money and keeping the info.

The bad news is that a ransomware attack is going to cost you no matter what you decide about paying the ransom. The worse news is that too many organizations aren’t prepared for the aftermath of a ransomware attack. While many companies have set up a cyberattack plan, they don’t always include the point-by-point checklist of what to do if that cyberattack is a ransomware attack.

It is crucial to think about your approach to a ransomware attack before it happens. If you decide to pay—and that’s a decision that should be spelled out long before the attack happens—do you have funds for a ransom built into your budget? Do you know what your cyber insurance will cover? And how do you set up a transaction if it’s a cryptocurrency ransomware? In addition, it’s important to keep in mind some government agencies have put in legal implications if ransoms are paid.

Writing a ransomware position statement

Ransomware doesn’t fit neatly into typical incident response planning and testing because it all comes down to one different factor: the data is being held hostage by cybercriminals and you have to determine if it is worth paying a ransom to recover. Sometimes all the steps normally taken to address a cyber incident—the detection, remediation, recovery—doesn’t work, and that’s when the difficult call has to be made.

A best practice is to run a ransomware tabletop exercise. The exercise intends to mimic a realistic scenario and includes key stakeholders across the organization. The goals include creating transparency in communication, assessing the plan of action, minimizing potential gaps in your cybersecurity program and eventually help answer the question: do you pay the ransom?

Ultimately, your decision shouldn’t come in the middle of a cyber incident. Every company should have as part of its incident response plan a ransomware position statement that identifies when and why the company would pay a ransom. This statement should be devised with a group of corporate stakeholders that include legal, financial, executive leadership, IT, and security.

Should you pay the ransom?

Some things to take into consideration against paying a ransom:

Legal implications (American law enforcement recommends against it)
Risks of becoming a repeat target
Lack of insurance (many cyber insurance firms are declining ransomware protection)
Reputational damage
Tax and audit considerations

Putting the budget together

Despite the reasons to avoid it, some companies will decide that paying the ransom is the best option for them. It could be that they don’t have a good backup system or that the amount of time it will take to bring the backup online will do more damage to the business, especially where human life is concerned. If that’s the case, then you have to think about how to best budget for a ransomware attack.

That begins with deciding where the money will be coming from. Not every organization has the ability to set aside a few million dollars to use for a ransom, and even if they do, there needs to be agreement on where that money is coming from. Whose department will be responsible for releasing the funds, or will it be a mix of departments?

An approval chain must be put in place. Paying for a ransom shouldn’t be the decision of one person. Any ransomware recovery policy will include a decision-making and approvals chart from each entity.

The worst time to be figuring out any of the financial implications of a ransomware attack is during the middle of the crisis. Having a plan and budget in place before the worst happens will make it easier if you do decide to pay.

¹“The State of Ransomware 2022.” Sophos, sophos.com.

²“2021 Internet Crime Report.” Federal Bureau of Investigation, fbi.gov.

³Toulas, Bill. “Ransomware profits drop 40% in 2022 as victims refuse to pay.” Bleeping Computer, bleepingcomputer.com.

More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.