As the largest fuel pipeline in the US brings its systems back online after the ransomware attack, there are stories of service stations running out of gas in parts of the US and higher prices in Canada – it’s a flashback to the gas shortages of the 1970s. The incident represents one of the largest disruptions of American critical infrastructure by hackers.  

One key part of the media coverage is speculation about ransom – did the company pay the threat actors to unlock their IT systems? When the attack first happened, media speculated that the company did not pay. It was bringing its systems up using its own backup systems. As the incident unfolded, media began quoting anonymous sources who said a ransom was in fact paid, in the hours shortly after the incident. This is according to “two people familiar with the transaction.” Did they pay or didn’t they? The story has shifted and continues to unfold.

Our cyber crisis team regularly works with Canadian organizations who are dealing with breaches in the midst of an escalating ransomware epidemic. Their incident response teams are forced to think through the ransom question in real time. The ransom payment question is an example of a cyber issue that should be thought through in advance.

Here are some key questions you should be asking when faced with a ransomware attack:

Should I pay?

This is a central question for anyone facing a ransomware attack. Often, the starting point is ‘we don’t pay’ — either from a legal stance, ethical perspective, a technical point of view (it may make a company more attractive to hackers in the future). However, sticking to that line can be a challenge when critical operations are disrupted and, in some cases, the ability of the company to function is at stake. Companies should get ahead of the issue via scenario planning and stress testing the scenario with the crisis response team. You should always include legal and crisis communications in these activities as well as in real time dealing with such an attack.  

What are my communication priorities?

It is essential that all stakeholders see you as a credible source of information. Be clear, consistent, and accurate in the information you share internally and externally, and do not engage in speculation of any sort. Communications can be fine tuned during scenario planning.

Who should I call?

Call the experts. Decisions and communications at the early stages of an attack can have significant implications further down the line. Whether it’s an update to employees or a notification to regulators, it is critical to engage the necessary players from the outset in the face of a ransomware attack — cyber insurance companies, forensic IT teams, legal counsel and corporate communications specialists — to potentially limit reputational and operational damage in the long term. Organizations should also notify law enforcement as quickly as possible to validate the legitimacy of the attack. Again, scenario planning will help you anticipate issues and make this run smoothly.

How can I control the narrative?

Part of communications planning around a ransomware attack should include a timeline of when to deploy certain messages to specific audiences. Generally, the timeline will be broken up into three phases: 1) The ongoing investigation phase, 2) The remediation and notification phase, and 3) The post-attack phase. It is imperative not to speculate or contribute to a narrative you do not control. Focus communication on transparency and avoid over-communicating when you have nothing new to share.

Cyber security is one of the biggest threats to your company’s reputation today, and it needs to be taken very seriously. If you have any questions about your organization’s cyber crisis communications preparedness, the FHR crisis team will provide you with a one-hour free evaluation. Reach out to us to book your consultation.