The onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are thwarted–and many companies are in fact implementing ransomware specific cybersecurity incident response plans, which outline the steps a company will take to respond quickly and efficiently to this unique cyber threat including, among other things, threat actor engagement, ransom payments and sanctions compliance.
But who at a company has the authority to decide to make ransom payments following a ransomware attack—the board of directors? The CEO? The disruption caused by ransomware can have a huge impact on the daily operations of a company and can result in significant financial losses (i.e., costs from downtime, lost productivity, recovery and remediation, managing government investigations and potential class action litigation related to information exposure or mismanagement of the company’s cybersecurity program). As a result, ransomware threats require a company to act quickly to bring operations back online and protect company-owned or maintained information. This quick decision making in the hours and days following a ransomware attack may involve the decision to negotiate and pay the demanded ransom to obtain a decryptor tool if backups are inaccessible or destroyed, or to secure the return of stolen company information, whether that be personal data of individuals or company intellectual property.
Although there is a dearth of case law in this area, we believe that this fast-paced decision to pay the ransom (or not) lies with senior management.
Under Delaware corporate law, officers of the corporation have the authority to manage day-to-day matters, while material actions require board approval. The distinction between “day-to-day” and “material” are circumstantial and will depend on the facts at issue, and surely ransomware attacks could fall under a material event. However, Delaware corporate law gives companies wide latitude to delegate decisions to management without requiring prior board approval. Such approval may be express or implied through circumstantial factors showing that the authority was meant to be granted.
Whether a company has provided its senior management the authority to pay a ransom without board approval can be found in various places:
- Implied delegations of authority, including in the bylaws, that grant senior management broad authority to take actions to ensure assets are protected, maintained, and not placed in unnecessary risk;
- Past practice where senior management made decisions without prior board approval during key and critical events; and
- Cybersecurity incident response plans that provide senior management the express authority to make a ransom payment.
While the board may delegate authority to pay a ransom to senior management, the directors have other fiduciary duties to the company related to cybersecurity, such as to ensure transparency in public filings and to monitor and oversee the company’s cybersecurity practices. No board should be completely blindsided by a ransomware attack or the company’s decision to pay a threat actor. Therefore, the strongest and most explicit delegation of authority to senior management to decide to pay a ransom is having a cybersecurity incident response plan, ransomware specific or general, that outlines how the ransomware attack will be escalated to the board and its role with respect to a decision by the company concerning a ransom payment, including how senior management will evaluate whether to pay a threat actor. To meet the board’s fiduciary obligation to monitor cybersecurity practices at the company, this plan should be presented to and approved by the board before any ransomware attack. This gives the board the oversight it needs to kick the tires and ask questions about the plan, including whether there are or should be financial thresholds for the senior management authority. If the ransom payment is above a certain dollar amount, the payment may require explicit board approval. In addition, the incident response plan should contemplate how the board will be informed about the decision to make the ransom payment. The approval for such a plan should be reflected in meeting minutes.
A ransomware incident response plan that meets these conditions not only meets the board’s oversight obligations, but allows companies to react quickly and simultaneously helps protect the individual directors from liability that may stem from the decision to pay a ransom.