Milbank Litigation & Arbitration partners Antonia M. Apps and Adam Fee, and special counsel Matthew Laroche, have authored “A Guide for Boards and Companies Facing Ransomware Demands.” The article was first published on October 16, 2021 in the Harvard Law School Forum on Corporate Governance, a leading online resource on corporate governance issues.
Ransomware groups continue to proliferate, and attacks have become more common, sophisticated and successful. While the US Department of the Treasury and other law enforcement and regulatory bodies have issued guidance and made public statements discouraging ransomware payments, the practical reality is that paying a ransom may make the difference between the failure or survival of a business. Victim companies and the boards overseeing them must be prepared to decide whether to pay quickly, pragmatically and decisively.
In “A Guide for Boards and Companies Facing Ransomware Demands,” the authors address specifically the legality of paying the ransom and the potential applicability of the US sanctions regime and anti-money laundering statutes, particularly in light of recent actions by the Department of the Treasury. They also offer three practical assessments for companies determining whether to pay, including valuing the breached data in the context of a modern ransomware attack, the practical risks from paying the ransom, and methods for negotiating and paying.
