Partner Contracts can save your company from a ransomware attack. Here’s how.

During the first half of 2021, we have seen a record number of ransomware attacks with unprecedented impact across the economy. Before this new wave of attacks, hackers often limited their targets to large corporations and international businesses. Now, government agencies/public institutions and small/mid-sized businesses are the primary victims.

In this article, we will focus on the key actions a Procurement Department can take to prepare, prevent, respond, and recovery when it comes to ransomware attacks.

First, what is ransomware?

According to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency (CISA(opens in a new tab)): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

A few recent examples:

-        Colonial Pipeline: DarkSide, the company behind the attack, targeted
the billing system and internal business network of the Colonial Pipeline in the United States. The impact was widespread gasoline shortages in multiple states. The FBI covered a significant amount of the $4.4 million paid as ransom.

-        Brenntag: DarkSide also targeted Brenntag in a similar way, receiving a ransom payment of $4.4 million as well (not yet recovered.

-        CD Projekt Red: Attacked by HelloKitty hackers. The result was encrypted devices and threats of leaked source code.

Other companies that experienced a major hack:

-        Acer

-        JBS Foods

-        Quanta

-        National Basketball Association

-        AXA

-        CAN

-        Kia Motors

 

The methods hackers use are constantly becoming more complex and agile. Cybersecurity experts learn new ways to fight these threats each day. The most prevalent methods are 2-factor authentication, strong and effective firewalls/antivirus/anti-malware software, limited access to information for each employee, and routine backups.

What role can Procurement take in contributing to security success?

First, Procurement, Risk Management, and IT need to collaborate when onboarding strategic partners. The strategic sourcing process is integral in establishing the right tools and actions to protecting a company. We can break this down into 4 major sections. Each is in relation to vendor interactions, contractual requirements, and policies.

Prepare

Prevent

Respond

Recover

Prepare:

The safest way to prepare for a malware/ransomware attack is to assume it is inevitable. The security organization will more likely have an infrastructure in place to handle this. We should work this same mindset into our partner relationships.

Procurement is encouraged to require vendors to prepare for an attack in the same ways as their own organization. Partners can be mandated to routinely backup client data, have safeguards in place, and have a full redundancy plan in the event an attack occurs.

Prevent:

Procurement, Risk Management, and IT should collaborate on choosing the best IT Security Partner (or in-house solution) to prevent a malware/ransomware attack. When procurement facilitates strategic sourcing projects, they can effectively collect the requirements from across the company and ensure effective communication. Getting the right contract in place requires cross-team functionality. Procurement is best equipped to make this happen.

During supplier selection, an IT vendor assessment/questionnaire should be worked into an RFP. This assessment aims to test the partner’s cybersecurity strength and redundancies.

Respond:

Paying a ransomware attack is highly discouraged. Payments often influence “copycats” and more malicious behavior.

As this becomes more common, contracts with vendors should explicitly address how vendors should respond to ransomware attacks. The cost of the ransom and the cost of not paying should be compared. Contracts should aim to build every possible outcome and even stipulate who will be responsible for the actions taken and how those impacted will be made whole.

Recover:

Speaking of being made whole, procurement can foresee this by building in cybersecurity insurance requirements into each contract. This insurance is specific and often not included in general insurance requirements. Setting limits and requiring proof of insurance must become the standard moving forward. As seen before, some attacks could require millions of dollars in ransom, or even more when trying to recreate or deal with the ramifications of losing authentic data. Having financial protection against this is key for a company’s survival. Ensuring vendors can survive an attack is a key to business continuity.

In addition, when contracts ensure vendors/partners must back up and store data securely, recovery is much less costly and difficult for the clients. Procurement and Vendor Management can request vendors stress test their systems and practice for if/when an attack occurs.