What Legal Depts Need to Know About Ransomware Attacks on Companies

When it comes to ransomware attacks on companies, the stakes are high. Ransomware gangs are increasingly targeting valuable corporate intellectual property or the intellectual property of a company’s customers. While ransomware gangs continue to troll for personal identifying information, they also see high value in stealing critical customer information from business-to-businesses (B2Bs).

In-house legal departments are on the front lines in ransomware events. Let’s look at what every in-house counsel needs to consider in the aftermath of a ransomware attack.

Time is Not on Your Side

When an organization determines it has suffered a ransomware attack, the clock starts to tick on a multitude of regulatory filing obligations. These reporting windows are not weeks, but rather hours in most cases. They also vary widely based on the industry. For example, defense contractors must report to the U.S. Department of Defense within 72 hours of discovery of the incident. For those businesses that qualify as “critical infrastructure,” a second 72-hour window to report to the Cybersecurity and Infrastructure Security Agency (CISA) opens. 

If the same business has operations in Europe, the European Union’s General Data Protection Regulation requires additional reports to local authorities there within 72 hours. If the company is also a public company, then the incident would trigger disclosure of a “material” cybersecurity incident within four business days of determining that the incident qualifies as material.

As a result, in-house counsel are left juggling multiple major reporting obligations within a matter of hours, all with competing finish lines.

From our experience, it is best to look at these reports in tandem with the same narrative being used consistently throughout. Practically, that can mean creating even a simple Excel workbook to track the language used for each report. It is best to also look at these early filings through the lens so that they may be used against you in a later class action lawsuit by your shareholders or regulators. In other words, every word the company says can matter, and tracking these early statements and their consistency is critical.

Review Contract Obligations

If your organization is B2B, you may also have contractual obligations to discuss an incident with your customers. These reporting windows have become increasingly short, with many contracts requiring reports of incidents within 36 hours of determining that a particular customer’s information has been impacted or is even suspected of being impacted. We recommend tracking these contract reporting obligations in advance of an incident, keeping a legal department file stored offline or printed.

Doing this legwork in advance can save the crush of trying to review thousands of pages of agreements during the immediate aftermath of a ransomware incident. Remember that often you may not have access to your company’s files while the ransomware is being remediated.

Assess Cyber Incident Insurance Coverage and Policy Obligations

Keeping cyber insurance information at your fingertips and knowing exactly how the policy works can also be a critical element to ransomware recovery. We have seen many organizations in the aftermath of a ransomware event need to reach out to their insurance brokers to procure an emergency copy of a policy. Having this information at the ready — and especially knowing how the policy works from a legal perspective — can help you in the midst of a ransomware event. Carriers increasingly can deny coverage for failure to notify or failure to use their chosen panel providers. We strongly recommend knowing what is covered by the policy, the gaps the policy may have, and how to best utilize your cyber insurance.

Applying these lessons and tips can help ensure that your legal department and the organization can effectively navigate through a ransomware attack while complying with the myriad of contractual, regulatory, and statutory obligations imposed by businesses following a ransomware attack.