Many companies find it helpful to assess the associated risks through multiple lenses, including:
“Business Risk” lens
Reputation: payments can strengthen the perception among the community of threat actors that the company is an “easy target,” potentially increasing the likelihood of being targeted more frequently in the future.
Lack of ROI: payments may not prevent data disclosure or misuse, especially since so much PII is already widely available on the dark web and online. There is also no guarantee that threat actors will return the data or uphold any promises made during negotiations.
Financial impact: payments divert company funds from other shareholder value-creating or risk reducing opportunities, such as the underlying security weaknesses that allowed the attack to occur and may translate into increased cybersecurity insurance premiums.
“Legal and Regulatory Risk” lens
Potential criminal exposure: payments may violate OFAC-enforced regulations, which prohibit transactions with entities on Specially Designated Nationals list or construed as bribes to foreign nationals and thereby a violation of the Foreign Corrupt Practices Act.
Perception of inadequate preparedness: the business decision to make a ransom payment could be second-guessed by regulators and/or the plaintiffs’ bar as a failure to adequately foresee, prevent, or prepare for such an attack.
“Moral and Ethical Risk” lens
Empowering criminals: payments strengthen threat actors, helping them enhance attack capabilities, and wage more frequent and more serious attacks.
Funding criminal activities: proceeds are often used to fund illicit weapons programs and support other actions that undermine democracy and global security.
Brand and trust: payments can damage a company’s reputation among those constituents who are opposed to economically supporting criminal activities and increasing the risk of future attacks.
CRA’s Forensic Services Practice assists in the prevention, detection, and correction of a broad range of risks and potential misconduct, reaffirming companies’ commitment to integrity and exemplary corporate governance. Other recent assignments have included investigating and assessing allegations of financial statement irregularities, fraud, FCPA, and bribery and corruption non-compliance, export controls and sanctions, anti-money laundering, #MeToo issues, theft of trade secrets, ineffectiveness of SOX controls, and cybercrime.
We are grateful for valuable insights from Lori E. Lightfoot, Esq., Senior Consultant to CRA’s Forensic Services Practice, in the preparation of this analysis. Lori advises clients in investigating, responding, and navigating through very public crisis situations, drawing upon her collective experiences as the 56th Mayor of the City of Chicago, senior partner at Mayer Brown LLP, Assistant US Attorney in the Northern District of Illinois, and academic assignments at Harvard, the University of Chicago, and the University of Michigan.
