As public companies seek to improve their cybersecurity posture, they also work to comply with SEC formal guidance to disclose cybersecurity risk, highlighting ransomware as a key factor.
Ransomware is now listed as a potential risk to business by many public traded companies in their annual reports, quarterly reports, special event filings, and registration forms filed with the US Securities Exchange Commission. These filings help shareholders understand the potential for attack and the possible resulting material impacts that could be incurred, affecting share prices.
As we’re seeing ransomware evolve to include extortion, use Active Directory against you, and use stolen data to spearphish your business partners, the threat is most definitely not just a few machines rendered unusable and a pittance to be paid as a ransom. Today’s ransomware authors are going after publicly-traded companies, as they can get an average ransom of over $110K these days, and can threaten to tip off journalists should victim companies choose not to pay.
More than 1,000 SEC documents filed with the SEC in 2019 listed ransomware, with another 700 doing so already in 2020.
Seeing ransomware listed as a risk factor in SEC filings demonstrates that companies are aware of the threat these attacks pose to the business and its profitability, and are, therefore, proactively listing it as a risk to fend off shareholder lawsuits for negligence.
With Forrester seeing ransomware needing to be a part of your business continuity plan, they highlight the need for Security Awareness Training to improve the employee’s ability to defend against an attack by not engaging with it.
Publicly-traded companies are prime targets and, therefore, need to put effective precautions in place to stop ransomware attacks before they ever take hold. Putting a layered defense in place that include utilizing your employees to spot and stop attacks is going to be the key.