The Ransomware Resilience Test: Could Your Board Defend Its Decisions After an Attack?

The post-incident regulatory review is becoming one of the more consequential governance tests an organisation can face. When a ransomware attack occurs and the regulator investigates, the questions directed at the board are no longer confined to what happened and what the response was. They now extend to what decisions the board made in advance, what evidence it relied on, and whether its governance of the risk was adequate given what was knowable at the time.

Most boards are not prepared for that test. They are prepared for the operational response — incident response plans, communication protocols, business continuity procedures — because those are the visible outputs of preparation. They are significantly less prepared for the governance review, because that requires not just doing things but making decisions and documenting the reasoning behind them. In a post-incident environment, the question is not whether you had a plan. It is whether the board actively governed the risk, understood its exposure, and made defensible decisions about it. Those are harder questions to answer retrospectively if the work was not done prospectively.

The ransomware resilience test I describe here is not an academic exercise. It is the test regulators, insurers, and sometimes courts apply after a serious incident. Understanding it in advance is the most effective way to ensure you can pass it when it matters.

What the test actually asks

The ransomware resilience test has three dimensions. The first is whether the board understood its actual exposure: not a general awareness that ransomware is a threat, but a specific understanding of which assets were most likely to be targeted, what the impact of a successful attack on those assets would be, and how long recovery would take under realistic scenarios.

The second dimension is whether the board made active decisions about that exposure. There is a meaningful governance difference between a board that received a presentation about ransomware risk and one that discussed the organisation's specific exposure, challenged the recovery time objectives presented to it, and directed the executive team to address identified gaps within a specified timeframe. Both boards may have received the same information. Only one has governed the risk.

The third dimension is evidence. Board minutes, decision logs, and action tracking are the documentary record of governance. A board that made all the right decisions but cannot demonstrate this through its records is in a materially weaker position than one that can produce a clear audit trail. Post-incident reviews frequently find that the governance was better than the documentation suggests, but regulators assess what they can evidence, not what they are told occurred.

Against each of these dimensions, most boards in regulated sectors fall short. Not because they are negligent, but because the current model of board cyber oversight is oriented toward receiving technical updates rather than making and documenting governance decisions. That orientation needs to change, and it needs to change before an incident rather than after one.

Building a board-defensible ransomware governance position

The practical governance work required to build a defensible position has four components, each of which produces evidence as well as substance.

Scenario-based board engagement. Boards should receive at least annually a ransomware-specific scenario exercise that presents the board with realistic choices rather than a technical briefing. The scenario should force the board to consider: at what point do we notify the regulator, what are our obligations around paying a ransom, how do we communicate to clients and counterparties, and who has authority to make which decisions under time pressure? The exercise should be minuted and the decisions documented. This is the foundation of the governance record.

Recovery time objective challenge. Boards should ask their executive team for the documented recovery time objectives for the organisation's critical systems, and should then ask on what basis those objectives were set and when they were last tested. RTOs that have never been validated through a realistic test are aspirations, not commitments. A board that has challenged its RTOs and required them to be evidenced is in a substantially stronger governance position than one that accepted the numbers presented to it.

Ransom payment policy. Every regulated organisation should have a documented board-level position on ransom payment: under what circumstances, if any, would payment be considered, who has authority to authorise that decision, and what are the legal and regulatory constraints? This is not a comfortable conversation. It is an essential one, and having it before an incident — with the result documented in board minutes — is materially different from having it under time pressure during one.

Insurance adequacy review. Cyber insurance policies vary substantially in their ransomware coverage, their conditions, and their exclusions. Boards should ensure that their insurance position has been reviewed against their actual exposure and their incident response procedures, that coverage limits are adequate relative to realistic recovery costs, and that the conditions for coverage are understood and capable of being met. An insurance policy that does not respond as expected during an incident compounds the governance failure rather than mitigating it.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He advises boards on cyber governance, ransomware resilience, and building governance positions that can withstand regulatory scrutiny.