CFOs learn how to respond and lead during a cyberattack

CFOs work through a cyberattack simulation

Imagine this situation: your CEO just resigned and as CFO, you’re the acting chief. After returning to the office from an exhausting overseas trip, your CIO informs you that malware was deployed within your customer databases.

That’s worrisome enough, but the next morning your CIO delivers this bombshell: Hackers are demanding $4.5 million in ransomware or all that sensitive customer data winds up on the dark web.

And you have just 72 hours to figure out what to do.

Finance executives experienced this exact simulated ransomware attack at CNBC’s recent CFO Council Summit in Washington, D.C. They were joined by a half dozen of CNBC’s Technology Executive Council (TEC) members from leading cybersecurity companies to help guide them through the steps they and their hypothetical companies should take in responding to the attack.

The simulation was led by retired U.S. Army Colonel Sean Hannah of the Thayer Leadership, a leadership development organization located at West Point. CFOs from the Council were broken up into teams, each representing a fictitious company in a specific industry such as financial services, healthcare, energy, and pharma/biotech. The TEC members were brought in to play the role of CIO at each of these companies and to offer technical advice on what to do in the event of a ransomware attack.

The goal of the exercise was not to school CFOs in the technical intricacies of a breach, Hannah said at the beginning of the exercise, but rather to formulate a plan for how to manage, lead, and communicate during a crisis.

Hannah informed each table of participants that each minute of the exercise would represent about 41 minutes of “real” time, giving them about 1 hour and 45 minutes to figure out what they would do during a cyberattack.

As the scenario moved along, CFOs were given the next development or demand in the attack. Once they knew a ransomware demand was made, the most pressing question was whether they should pay the money. Many wondered if making the payment would put a bullseye on their back for future ransomware attacks. Others turned immediately to the participants playing company lawyers to determine how much cyber insurance they had on hand to pay the…