Checklist for directors to challenge the ransomware risk

When was the last time that the topic “cybersecurity” discussed at board meeting?

It is normal that management provides also regular updates on the maturity of cybersecurity to the board of directors and that the board gets involved in strategic cybersecurity decisions.

Directors should check if cybersecurity is regularly on the agenda and what decisions were made in the last year around cybersecurity in board meetings (see board minutes of meeting).

Directors could refer to a recent ransomware attack which was mentioned in the media in order to discuss the preparedness of their organization if a similar ransomware attack would take place.

How is ransomware assessed in the enterprise risk management?

Given the regular media attention to spectacular ransomware attacks and the potentially catastrophic impact for ransomware victims, this risk needs to be evaluated as part of an organization’s overall enterprise risk management.

Directors should check if the ransomware risk is found back in the enterprise risk register, when it was last assessed and by whom.

Does the cybersecurity insurance also covers ransomware?

Organisations might look for additional protection against ransomware and other cybersecurity risks by having a proper cybersecurity insurance.

Directors should check whether there is a proper cybersecurity insurance is in place and if that also covers ransomware in the insurance policy.

Directors should also check what the insurance company will do when the organization activates the insurance policy after being the victim of a ransomware attack. Will the insurance company appoint an external security company to provide some technical first aid to the organization? Will forensic analysis be performed? Which damages are (not) covered by the cybersecurity insurance policy?

When was the last time that the organization’s Incident Response Plan/Playbook (IRP) was tested and what actions were defined based on the ransomware test results?

Every organization needs to be prepared for significant IT incidents or cyber crisis, including when a ransomware attack takes place. An Incident Response Plan/Playbook must be in place to help minimizing the improvisation during such IT incident or crisis and allow the right decisions and actions taken by the right people. At a minimum, also the scenario of a ransomware attack should be mentioned in such IRP and this should be tested up front in order to check the validity for and the readiness of the organization (amongst others in terms of process, people, tools, suppliers, partners and communications to different stakeholders).

Directors should check if there is an Incident Response Plan/Playbook in place, when it was last updated and if ransomware is also covered as one of the possible IT incident / crisis scenario’s.

Directors should also verify if the Incident Response Plan/Playbook was actually tested and what the results were (“lessons learned”).

When was the last time that the topic “cybersecurity” discussed at board meeting?

How is ransomware assessed in the enterprise risk management?

Does the cybersecurity insurance also covers ransomware?

When was the last time that the organization’s Incident Response Plan/Playbook (IRP) was tested and what actions were defined based on the ransomware test results?

Read related publications

How Governance Evolves Without Disruption - 30 Years GUBERNA - Innovative Governance

30 Years of Governance - Cybersecurity: A Boardroom Priority

30 Years of Governance - Innovative governance as a tool for business opportunities