General counsel at Texas companies are critical for preparing corporate executives and board members about cyberattacks and ransomware demands, Erin Nealy Cox, former U.S. Attorney for the Northern District of Texas, told about 200 members of the Texas General Counsel Forum attending the organization’s annual meeting Thursday in Austin.
Cox, who is now a partner at Kirkland & Ellis in Dallas, said there are key pre-emptive steps that GCs should take prior to a cyber invasion, including creating a multi-disciplinary working team of top executives and conducting basic educational sessions for corporate board members.
“Cyber incidents are no longer a surprise,” she said. “No doubt [the past year] was the worst year ever for ransomware attacks. If you fail to plan, you plan to fail.”
During the past year, there were 40 ransomware attacks on government agencies, 30 attacks on schools, 25 healthcare companies and 10 financial institutions and utilities, Cox said.
In 2018, 39% of companies disclosed that they had regular updates on cyber security matters with their corporate boards – a number that jumped to 56% in 2020, she said.
Cox said she’s spoken with several general counsel after their businesses have faced breaches. She said they invariably say they wish they had been better educated about the threats and risks and they wish they had been more proactive with their corporate boards.
“The worst thing you can do is surprise the board on risk,” she said.
Congress has recently introduced legislation that would require businesses that face a cyber breach to immediately notify the U.S. Treasury Department and it would prohibit ransomware payments of more than $100,000, Cox said. She noted that the average ransomware payment is now $847,000 and that a congressional prohibition on companies making payments would likely not stop such attacks from happening.
In addition, she pointed out, federal authorities have warned companies that they would consider levying penalties against businesses that pay ransomware attackers.
But Cox said that GCs should not think federal law enforcement is going to come to their rescue when it comes to ransomware attacks.
“You thought the FBI would be helpful?” Cox asked, referring specifically to federal law enforcement’s abilities to unlock information being held captive by attackers. “They are super nice, but not that helpful.”