Companies often face the dilemma on payment of ransom when their data is captured and held hostage by a ransomware attacker. The attacker fixes a certain price for the release of the decryption key and often places the data for sale in the dark web. Acer had a demand of $50 million, CNA Financial reportedly paid $40 million and Colonial Pipeline paid $4.4 million. In India itself we had a demand on Cognizant for $ 5 million and different smaller amounts in different companies.
It is clear that in these cases the hackers had a perception of the value of the data they had captured and the companies paid the ransom because they felt that there was an opportunity cost in refusing to pay. Insurance companies have their own practices on dealing with such instances and some may cover the ransom as part of their policy.
Further, darkweb often quotes a price list for many kinds of data. One such laundry list is here.
When thieves set a value for the data they may target and steal, it is necessary for the organizations which have these assets to also know that they have assets which are vulnerable to be stolen.
Managements often express surprise when a ransom demand is made and wonder “Do we have that kind of data with us”?. The reason is that so far the CFOs and CEOs were never told that Data is an asset though on the balance sheet it does not show up.
Corporate Managements need to ask themselves, if they are not representing the true value of their assets in the financial statements which they certify “This is a fair and true representation of the company’s financial position”.
If the CEO/CFO knows that the company has a Rs 5000 crore of data asset, they would not crib to appoint a DPO or CISO at the kind of remuneration they deserve or to invest in security products or employee training or atleast to harden their operating systems which they keep postponing.
Let’s therefore look to the future with confidence by valuing our data assets and bringing them into our balance sheets. …
Let our shareholders know what we are worth.
Let our competitors know what it would cost to take over our company.
Asatoma sadgamaya…tamasoma Jyotirgamaya…Oh DVSI, Oh DVSI…
(meaning From Ignorance, lead me to truth, from darkness, lead me to light..Oh Data Valuation Standard of India)
(With apologies to the Rishis who gave us the Upanishad Vaakya)