“A lot of incident response plans that we see, or practice, have been structured around personal information,” said Latham & Watkins partner Jennifer Archie. In contrast, ransomware tends to involve “business continuity, disruption of commercial relationships [and] employee data.” Communications risks are growing around ransomware – the COVID-19 pandemic continued to shift the cultural dynamics around staying silent, Latham partner Antony Kim noted during a Privacy + Security Forum Fall Academy workshop. The SEC has joined the Federal Trade Commission in acting to enforce companies’ proper wording about risks during their post-incident statements and notifications. Many companies have not prepared for the communications challenges a ransomware attack brings, Kim noted. General incident response principles apply to companies’ ransomware public relations: identify the public risks to address, alert the designated communications leaders, tailor the existing playbook plan for the current attack’s wrinkles and share the refreshed plan with the other response leaders, noted Katie Clark, Edelman senior vice president for crisis and reputation risk. With ransomware in the public eye so often over the past few years, incident response teams have multiple case studies showing nuanced ransomware risks to incorporate into their plans. See “Ransomware and Sanctions in the Time of War
” (Aug. 18, 2022).