We know based on conversations with our community that ransomware attacks are increasing for a variety of reasons and that payments have been increasing accordingly. The FBI discourages organizations from paying ransomware and now the Department of Treasury has declared that paying ransoms is illegal and violates OFAC regulations. Seemingly this puts Boards—and the conversation in and around evaluating risk—in a very precarious situation. The consideration around this and the balance of fiduciary responsibility is different depending on the organization (a manufacturing company vs a hospital, for example) and what data is being held….but it still squarely could disrupt the natural flow of risk considerations for Boards.

Participants: