Imagine this situation: your CEO just resigned and as CFO, you're the acting chief. After returning to the office from an exhausting overseas trip, your CIO informs you that malware was deployed within your customer databases.
That's worrisome enough, but the next morning your CIO delivers this bombshell: Hackers are demanding $4.5 million in ransomware or all that sensitive customer data winds up on the dark web.
And you have just 72 hours to figure out what to do.
Finance executives experienced this exact simulated ransomware attack at CNBC's recent CFO Council Summit in Washington, D.C. They were joined by a half dozen of CNBC's Technology Executive Council (TEC) members from leading cybersecurity companies to help guide them through the steps they and their hypothetical companies should take in responding to the attack.
The simulation was led by retired U.S. Army Colonel Sean Hannah of the Thayer Leadership, a leadership development organization located at West Point. CFOs from the Council were broken up into teams, each representing a fictitious company in a specific industry such as financial services, healthcare, energy, and pharma/biotech. The TEC members were brought in to play the role of CIO at each of these companies and to offer technical advice on what to do in the event of a ransomware attack.
The goal of the exercise was not to school CFOs in the technical intricacies of a breach, Hannah said at the beginning of the exercise, but rather to formulate a plan for how to manage, lead, and communicate during a crisis.
Hannah informed each table of participants that each minute of the exercise would represent about 41 minutes of "real" time, giving them about 1 hour and 45 minutes to figure out what they would do during a cyberattack.
As the scenario moved along, CFOs were given the next development or demand in the attack. Once they knew a ransomware demand was made, the most pressing question was whether they should pay the money. Many wondered if making the payment would put a bullseye on their back for future ransomware attacks. Others turned immediately to the participants playing company lawyers to determine how much cyber insurance they had on hand to pay the ransomware.
Figuring out the cost of a breach
TEC member Karl Mattson, CISO at Noname Security, urged those at his table to calculate how much money their company was losing each day their systems were down because of the attack and compare it to the ransomware demand.
"The CFOs really struggled with calculating the break-even point of 'to pay or not to pay,'" he said. "In our simulation, we realized that our business really does have a threshold of pain and lost revenue, above which the ransom payment is entirely rational. We had to build that cost/loss model on the fly."
TEC member Sanjay Macwan, CISO at Vonage, helped guide his table into formulating a logical communications plan that involved not only internal technical teams, but the insurance company, legal team, and board of directors.
"One of the pieces of advice I gave was to ensure that during a crisis, you don't just rely on the organizational hierarchy to help with the decision-making," he said, "but actively solicit input from team members who are closest to functions and understand the implications the best."
Whether to reveal the breach to the FBI or not also became a point of debate for the CFOs. Some felt revealing the information too early would create more complications.
But TEC member Charles Carmakal, CTO of Mandiant, told his table that revealing a breach to federal authorities could have an upside. He reminded them that it was the FBI that was able to recover about half of the $4.4 million that Colonial Pipeline paid in ransomware last year after its computer systems were hacked.
Another big decision in the exercise was whether to tell the media that a cyberattack had taken place. Many of the CFOs insisted on not using the words "cyberattack" or "ransomware" in either external communications or interviews with the press, preferring to classify the event as an "incident" that had been rectified.
In the end, every table of participants decided to pay the ransom rather than risk exposing their customers' financial data. Some tried to negotiate a lower amount than the initial $4.5 million demanded by the hackers (for the most part they were successful).
JR Miller, CFO at The Leukemia & Lymphoma Society, said the simulation showed him that he needs "to clearly assess the situation and be prepared with a response based on facts known at that time."
Running cyberattack drills on a consistent basis was the biggest takeaway for Synchrony CFO Brian Wenzel. "You can never have as much practice for these situations as you want," he said. "We need to continue to build 'muscle memory' to respond as quickly as the situation develops."
At the end, not all the CFOs decided to go to the media, choosing instead to ignore the advice given earlier at the CFO Council Summit by guest speaker and former White House Press Secretary Jen Psaki.
When it comes to a breach or any negative event, she advised CFOs: "Get the bad news out in one go. If you try to hide it, you're going to have a story about what happened and then another one about how you tried to hide it."
