OGC Solutions Legal Alert: How to Recover After a Ransomware Attack

Here’s a sobering thought: Ransomware attacks have doubled since the first half of 2021 as bad actors continue to find new ways to dodge security layers. Cybersecurity experts say it’s inevitable that most companies will face a ransomware attack at some point. 

While corporate executives must act swiftly to mitigate the damage of such an attack, equal focus must be paid in the weeks—and months—following a cybersecurity breach.

“Once you’ve gotten past the immediate crisis, you need to think about your company’s obligations to others — and how you can safeguard your relationships with clients and partners, as well as your reputation,” says Alexander Anglim, a partner at Santomassimo Davis LLP Outside General Counsel™ Solutions, a New Jersey-based firm with offices in New Jersey, Philadelphia, and New York. “There’s a tremendous amount of debriefing that needs to be done.”

With that in mind, here are three essential steps to take in the aftermath of a ransomware attack.

3 Steps To Take In The Aftermath Of A Ransomware Attack

1. Work closely with your insurance provider. 

“If you’ve got a good cybersecurity insurance provider, they’re going to jump in and help out very quickly,” Anglim says. But while your provider may take the lead, they’re going to need your help in conducting a thorough investigation into what happened and will likely need to interview key executives and members of your IT team. You also may be required to provide a sworn proof of loss before they make any payments to cover losses due to cybersecurity breaches. “It’s in your best interest to cooperate in a quick and efficient manner,” Anglim says, as there may be a time limit to submit the sworn proof of loss. Your legal partner can walk you through the insurance process and ensure that you meet all of your deadlines.

You’ll also need to work with your insurance provider to document your damages and show multiple estimates from IT vendors to prove to your insurer that the amount that’s being paid is reasonable. And, you’ll need to document how you’re fixing security lapses and upgrading equipment to guard against future attacks. Being able to demonstrate this will be helpful down the road when you are ready to renegotiate your policy. “If you’re able to say, ‘Here’s how we have improved our security as a result of this event,’ you’ll be in a better negotiating position,” Anglim says.

2. Take care of obligations to customers and partners.

As soon as you’ve recovered from an attack, “you need to think about your company’s obligations to others,” Anglim says. For instance, you may have a legal obligation to notify customers or partners if you’ve had a data breach. In addition, if your company’s ability to perform is going to be impacted (i.e., you’ve got to shut down your production line temporarily or take customer service offline), consider how you’ll communicate that to the affected parties. In some cases, staying ahead of the crisis might help you negotiate a better resolution with those who are impacted. “If you reach out to your customers and partners promptly and involve them, you might buy some good faith, which could give you some breathing room if that’s what you need,” he says.

Even if service hasn’t been affected, Anglim says it may be helpful to communicate rapidly with clients and partners about what happened. “You might say, ‘We have an issue but we’re taking an aggressive approach and we expect to be able to honor our commitments to you,’” he says. “That open communication buys a lot of good faith.”