While the scale and severity of recent attacks has surprised many, the growing popularity of ransomware comes as no surprise to specialists in the field. With ransomware hitting the headlines, we ask what GCs can do to prepare for the inevitability of a cyber attack.
On 7 May 2021, Colonial Pipeline, the largest petroleum
pipeline in the US, was shut down following a cyber
attack. It remained closed for five days, causing panic
buying, fuel shortages and national security soul-searching.
For cybersecurity experts, the most surprising element of
this episode was that a key part of US infrastructure was
not brought down by the actions of a hostile state (at least
directly), but by a small group of cyber-criminals deploying a
devastating form of online extortion software: ransomware.
After gaining access to a company or individual’s system, the
attacker will make files inaccessible in some way. At the lower
end of the scale, the malicious programme may simply lock the
computer, an easily fixable situation for an IT professional and
no great problem for a large company. But when deployed by
more sophisticated attackers, the software will encrypt the
victim’s files so effectively that recovering them without the
decryption key is virtually impossible.
The Colonial Pipeline ransomware attack was just one of
several high-profile events that have struck ostensibly secure
organisations over recent months. May 2021 also saw a
ransomware attack on meat processor JBS Foods, a $53bn
company that is deemed vital to US food security. The attack,
which led to closure of some of the company’s facilities, was
reportedly ended after an $11m ransom was paid.
While the scale and severity of recent attacks has surprised
many, the growing popularity of ransomware comes as no
surprise to specialists in the field.
‘My first response to the upsurge in ransomware attacks lately
was that we analysts have been warning about this for over a
decade, and we all predicted this was going to happen’, says
David Fidler, senior fellow for cybersecurity and global health at
the Council on Foreign Relations.
‘Now it’s here we have another round of gnashing of teeth, but
opportunities to mitigate the danger have been missed time
and time again over the intervening years.’
Fortunately, even for those who may have missed the early
warning signs, hope is not lost. GC speaks to some of the
leading counsel and cyber experts to find out what the rise of
ransomware means for business, and what lawyers can do to
help prepare their defences.
The unlocked door
The rise in attacks affecting everything from water and energy
utilities to fuel distribution systems is a sign of things to come.
From a cybersecurity perspective, the truly frightening aspect
of these attacks is that, once systems have been compromised,
there is little IT professionals can do to regain control. Bhavani
Thuraisingham, Founders Chair Professor of Computer Science
and the Executive Director of the Cyber Security Institute at The
University of Texas at Dallas, comments:
‘When the malware enters the system, it has access to almost
everything, and in a ransomware attack [hackers] will encrypt
everything and demand a payment in exchange for the key
to unlock the files. As of today, AES 256 encryption cannot
realistically be broken with modern computing methods.
Unfortunately, this means that if the attack progresses to this
stage, you have really no access to anything in the system
unless you get the key to decrypt the data’.
Richard Forno, senior lecturer in the University of Maryland,
Baltimore County Department of Computer Science and
Electrical Engineering, puts it even more succinctly: ‘If you
haven’t been conducting cybersecurity best practices and
a sophisticated attack takes hold of your systems, you're
As a result, victims of high-profile ransomware attacks have
been left with little option but to pay up. In the case of Colonial
Pipeline, hackers demanded a ransom payment of $4.4m in the
form of bitcoin, which they promptly received in exchange for
codes to unlock the company’s systems.
More troublingly, the lines of attack hackers are exploiting
are not easy to defend against. For example, phishing attacks
in which members of staff are fooled into downloading
malicious software by seemingly genuine emails are becoming
increasingly effective. This, says Forno, is increasingly
dangerous given the rise of social media as a means of
validating an unknown person’s identity.
‘Using artificial intelligence and machine learning, you can
identify, develop and even create fake personas that are very
detailed. This can allow you to make a phishing email that
is much more convincing to the target, particularly if you're
targeting a particular individual, such as the CEO of a company.
What’s more, even those who follow every reasonable security
protocol and measure can, unwittingly, become a victim of the
more sophisticated hacks. Increasingly, [malicious] software
is being downloaded through perfectly legitimate websites
via ad networks. [If a hacker] is able to compromise a content
or software distribution network, malware could be injected
into this such that users of a legitimate website would then be
downloading malware through the network.’
This type of attack, say the cybersecurity experts interviewed
for this report, has already been detected on some of the
world’s largest website, often with little or no awareness
among their users.
Adds Thuraisingham: ‘Ransomware spares no one. It could
attack an 80-year-old great grandmother, a major financial
company or even critical infrastructure. With that said, the
more pain the attacker causes, the more publicity they get and
the more money they can extort; sectors that allow them to
cause maximum damage may therefore be more vulnerable.
These will include major hospitals, government organisations
and, especially, financial companies.’
Of course, cyber experts are aware that ransomware attacks
are now big news, and that reporting biases undoubtedly
skew toward them. Even so, says David Fidler, senior fellow
for cybersecurity and global health at the Council on Foreign
Relations, the underlying reality is that such incidents are on
the rise. In fact, says Fidler, the true extent of the problem has
probably been under-reported.
‘There has been an increase in ransomware attacks, and that
increase has been felt across the entire corporate sector
in North America and beyond. Beyond this, there is a large
number of institutions – typically hospitals or other bodies
that hold large volumes of data – that have been victims of
ransomware attacks without the public or media ever becoming
aware of it. So the problem is growing and the scale of the
problem is perhaps larger than one would imagine.’
The GCs who came in from the cold
From the perspective of the US government, ransomware
is a clear and present danger. The increase in the size,
sophistication and public awareness of these attacks, as well
as their ability to damage critical infrastructure, puts general
counsel on the fault line of what, for some organisations, will be
the most important challenge of the coming months.
‘The connection between criminal ransomware attacks and
how the United States government perceives our adversaries as
providing havens for cyber criminals is key’, says Fiddler.
The government has already accused Russia and China of tacitly
allowing cyber criminals targeting US companies to operate
free of constraints. We're seeing movement toward more
offensive actions on the part of the US government aimed
at cyber-criminal organisations based in potentially hostile
territories because, clearly, our defences are not effective in
preventing these attacks.
If the government does move in that direction, that is a much
more dangerous context for businesses to be in, because we
do not know cyber-criminal groups are going to respond. They
could become even more sophisticated and try to test how
much further we're willing to escalate’.
The thought that corporations might unwittingly get caught
in this cat-and-mouse game of testing and defending critical
infrastructure is no longer an abstract item on the risk agenda.
Even smaller companies that are not deemed essential parts
of the US economy now face the prospect of becoming
collateral damage in the tit-for-tat exchanges brought on by the
escalation of opportunities for cyber attacks and the escalation
of deterrence by punishment.
‘For GCs, understanding the potential threat is key’, adds
Fidler. ‘Understanding what the threats are from this potential
escalation on the part of the government may help persuade
the C-suite of the need to make more investments in their own
Of course, only a minority of companies will fall victim to the
most serious of incidents, but indirectly almost every single
organisation will end up paying the price, whether through
increased demands on security and compliance or changes to
their relationships with customers and commercial partners.
React and respond – preparing for times of crisis
As the realities of new digital attack vectors
and how to respond to them become
increasingly evident for major corporates
and their counsel, leading private practice
practitioners from the WSG network share
their insights and advice to help businesses
prepare for the worst.
‘Ransom attacks, including larger supply chain-type
attacks, continue to lead the headlines and pose a
sophisticated threat to a business’s ability to operate
or recover, now more than ever,’ says Batya Forsyth,
partner at Hanson Bridgett and co-leader of the firm’s
privacy, cybersecurity and information governance
With cyberattacks increasing in frequency, severity and
variety, the need for general counsel and their teams to
be prepared to react and respond accordingly has fast
become a business imperative, irrespective of company
size or sector.
‘A response plan should set the expectations high for the
organisation,’ says John Babione, a partner at Dinsmore
& Shohl LLP.
‘Responding effectively to security incidents and
potential data breaches should be emphasised as
critical to the success, and in some cases survival, of the
Exactly what a response plan looks like will be different
for every organisation, with individual risk factors and
tolerances both likely to heavily influence the final plan
and procedures. However, the experts we spoke to
agree on several common elements that featured in
successful response plans.
‘A good security response plan sets forth a process that
is easy to understand at all team levels – from general
staff to general counsel – and functions well across a
variety of attack scenarios,’ says Forsyth.
‘Most importantly, the plan must explain how the plan
gets triggered, who makes that decision, who needs to
know about that decision and the first next step for the
Getting buy-in from the wider organisation and ensuring
that everyone understands their individual roles in times
of crisis were also seen as essential parts of successfully
managing a response, with time often a critical but
limited quantity in any attack scenario.
‘The plan should enlist all affected personnel as partners
in a team effort in which everyone knows their daily
efforts and diligence on the front line are valuable and
needed,’ says Babione.
This engagement though, shouldn’t be limited to
times of crisis says Babione, who instead advocates
for an always-on approach to monitoring for threats
and being prepared to respond – an approach
that emphasises mitigation as much as it does
‘To do this, the day-to-day IT environment, applications
and tools must support and encourage employees to be
watchdogs, looking for trouble and reporting it up the
chain of command,’ he explains.
‘This engagement of the workforce and management
as the hands and feet of the response plan turn the plan
from a piece of paper into what it needs to be – the
means by which the organisation can respond quickly
to incidents to prevent
them from turning
into a data breach
or other harmful
Insurance has long been one of the major tools used by
corporates to mitigate their exposure to cyber risk, but as the
number of cyber-related insurance pay-outs topping seven
figures grows, policies are being hastily rewritten.
‘[Last year] was an unprecedented year for ransomware attacks
and the payment of related insurance claims’, notes Lavonne
Hopkins, senior managing legal director for security, resilience
and digital at Dell. ‘As a result, the cybersecurity insurance
market is hardening as insurers revaluate how to keep their
cyber insurance offers profitable.
I have observed that insurers are focusing more on evaluating
organisational cybersecurity maturity and preparedness
when making coverage decisions and determining premiums
and deductibles. We can only expect this trend to increase.
Organisations should start to prepare for a future that
potentially excludes ransomware coverage from cyber liability
policies and requires self-insurance models.’
A worrying thought. And even those who can find suitable
policies should not be complacent against the threat, says
‘Certain insurers are now offering specific products that cover
the threat of ransomware attacks but relying on this can be
extremely risky. To activate the coverage a company must first
lose its data in a ransomware attack; only then will the insurer
release funds to pay the ransom.
This is obviously not ideal, as the protection offered does not
typically compensate for the reputational damage or staff
costs associated with the incident. I would advise taking all the
preventive measures you can before relying on insurance.’
The price of this sort of ‘kidnap insurance’ coverage is also
likely to increase markedly as insurers keep a watchful eye on
cybersecurity developments. A report issued recently by Hiscox,
an Anglo-Bermudan insurance provider that specialises in niche
categories of risk, noted insurers faced a 50% year-on-year
increase in pay-outs for cyber-related policies, with ransomware
attacks accounting for the biggest contributor to this growth.
Outsmarting the hackers
Even the most generous insurance policy can only be triggered
once a cyber attack has taken place, by which time financial
compensation alone may not be enough to repair the damage.
For general counsel, the only real way to defend against risk is to
go on the attack.
David Mace Roberts, general counsel of transport information
systems provider Electronic Transaction Consultants (ETC), has
been working to keep one step ahead of cyber attackers for
many years. For Roberts, the most notable feature of a good
cyber risk plan is that it looks unlike anything else on the market.
‘A lot of companies will pull up a one-size-fits-all cyber response
plan, but that’s really not good enough. You don't want to stop
your company doing business, so even with things like multifactor authentication you need to think about how often it is
required and whether it needs to cover every device or network.
‘A bespoke cyber response plan needs to be custom crafted
for both you and your industry, and you should have a cyber
response committee within the company. Everyone on this
should know they're on the team and know exactly what to do
when an attack occurs.
‘Beyond this, there are relatively simple steps that anyone can
take to modernise Endpoint Protection, including implementing
remote monitoring, tracking and remediation. Updating remote
access protection, installing virtual firewalls and multi factor
authorization are all very important as well, especially now that
so many are working remotely’.
Thuraisingham echoes Roberts’ comments. ‘Just as with health
concerns, the best method is prevention. Protect all your
systems, data and processes so that the attackers cannot gain
access in the first place. Perhaps most important, companies
that do not mandate backups and do not have extremely
stringent security policies are most in danger. Do continuous
backups of data and processes. I cannot emphasise proper
backup procedures enough’.
Indeed, as Richard Forno notes, none of these measures are
difficult to implement, but business has tended to ignore expert
advice for too long.
‘The problem I see is that a lot of companies and governments
of all sizes fail to do basic cybersecurity best practices, things
that we in the industry and academia have been urging people to
do for 20, 30, 40 years. This can be things as simple as having a
really strong password or using multiple forms of authentication
for critical or sensitive systems’.
The most important aspect of effective defence against a
ransomware attack, however, comes with employee training.
Human error is overwhelmingly likely to be the biggest weakness
in a cybersecurity defence package, as well as the first thing a
criminal group will look to exploit. To guard against this, says
Roberts, the only option is to train relentlessly.
‘If you only train once a year then training loses its impact
and offers minimal protection. But the form of the training is
also important, and it pays to get creative. There are services
available that do mock attacks with a fake phishing email sent
around, and then if someone clicks on the link by mistake, they
must take a remediation course and will ideally not make the
same mistake again.’
Lavonne Hopkins of Dell agrees. ‘Unfortunately, ransomware
most frequently originates from human error, and over
half of ransomware victims suffer repeat attacks. Training
and education are critical to ensure a comprehensive cyber
preparedness strategy and prevent these ransomware attacks.
Organisations should mandate cybersecurity training, including
phishing training, for all employees and contractor. Employees
are the first line of defence and need to be equipped with the
knowledge to help prevent an attack’.
Before any of the above can take place, senior management
needs to take the risk to business from cyber attack seriously.
As Thuraisingham notes, it is all too common to encounter
business leaders who consider cyber strategy as a matter for IT
‘When you’ve hired the best risk analysts and cyber teams
money can buy it is very easy to conclude that you’ve done
everything you can. This is fundamentally wrong. Businesses will
always be vulnerable to these attacks, so there needs to be a
constant awareness of just how serious the consequences can
Unfortunately, awareness of cyber risk as among the c-suite
seems to remain limited. Our survey of over 200 general and
corporate counsel in North America revealed that while legal
teams felt there was a very high risk of cybersecurity breaches
to their organisations, fewer than half were actively involved in
shaping cybersecurity risk planning.
For many organisations, it may come back to haunt them. As
Roberts concludes, ‘If you are a senior member of a public
company, you'd do well to look at the SEC, the NYSE and
NASDAQ who are all really pushing cybersecurity. A cyber
incident is already an event requiring an 8k event form be
filled out within three days, but it is increasingly becoming a
potentially catastrophic reputational risk.
‘Cyber has become a primary risk, due to the frequency of
attacks and to the aggressiveness and skill of the threat actors
perpetrating them. Do you want this on the front page of the
Wall Street Journal or the Washington Post? Do you want to have
to answer to the boards, or to the securities regulators? If not,
then taking the risk seriously now is the best defence.’