How to Prepare and Respond to Ransomware Attacks
1.16.2026
Ransomware attacks have evolved into a billion-dollar threat and businesses of all sizes are at risk. Preparing a business for the threat and planning a response was the topic of a panel discussion sponsored by the Local and State Government Law Section at the New York State Bar Association’s Annual Meeting.
The panelists represented legal, insurance and criminal justice fields and offered a wide range of advice. Jessica Copeland, deputy general counsel at Bond Schoeneck and King, reminded the attorneys that all 50 states have a breach notification statute, and general counsel offices should be well versed in the state law.
The New York Shield Act, passed in 2019, requires businesses and organizations that own or license personal information about New Yorkers to implement administrative, technical and physical safeguards protecting against a data breach. Personal information includes biometric and medical data in addition to Social Security numbers, driver’s licenses and birth dates. Under the Shield Act, companies must notify the affected residents, the New York Attorney General’s office and law enforcement within 30 days of discovering the breach.
“A breach is defined as unauthorized access to computerized data that compromises the security, confidentiality or integrity of private information,” Copeland said, adding, “If they have access but don’t do anything with your information, you still have to tell clients of the breach.”
How to Handle a Cyberattack
Notification of a cyberattack can come from forces inside or outside the law firm. It could be a phone call from a vendor or a client who received an invoice that was already paid or an employee who can’t access a network computer that leads to discovery of a breach.
Copeland said the role of the general counsel is to lead the response to the attack, connecting IT, forensics, insurance, public relations, human resources and management to create a response team. Copeland encourages attorneys to keep the response team small. Its members should give updates every two to three hours, she said.
After assembling the team, Copeland said, the lead counsel should determine if the threat is ongoing and whether reporting is required. The next step is determining who will be notified and outlining the remediation plan. Copeland advises her clients to offer free credit monitoring for all affected.
“It’s an inexpensive mitigation tool and if a lawsuit flows from the incident, you can say there was credit monitoring available. It’s a good step to take even if not required,” she said.
Copeland closed her presentation by offering a few tips on prevention and preparation before an attack takes place.
“Have an incident response plan and don’t store it electronically,” she said. “Hold a tabletop exercise where all the team members practice their roles and know who to call and how to get the insurance provider involved.”
How to Navigate Cybersecurity Insurance
Chistine Wiktor, a senior vice president with Gallagher Insurance, warned attorneys that any size company is at risk. She cited a 2024 analysis from insurer Chubb that half of the victims of a cyberattack that year were organizations with $150 million in revenue and that the average cost of an attack was $250,000. She encouraged lawyers to work with their insurance providers to determine the right amount of cybersecurity coverage. Wiktor also said that companies should call insurance providers at the first sign of an attack.
“This is not like auto insurance. For a cyberattack, don’t worry about the deductible. You should call and claim it right away,” she said.
A comprehensive policy, she advises, should contain coverage for extortion or the payment of a ransom. loss of business income and coverage to pay for the cybercrime investigative services.
“An insurance policy is not a pdf with an 800 number,” Wiktor said. “There are lots of resources for you from your insurance company. If you have a policy, I encourage you to take advantage of all those resources.”
Wiktor also advised that any attack must be documented because it will determine the rates for renewal of cybersecurity coverage.
Digital crime expert Adam Hart of Charles River Associates closed out the session by stressing that the use of multi-factor authentication is an essential first step in making a site secure.
“You should invest in strong backups to your data. Threat actors have adapted and may be able to bypass multi factor authentication and hit you, regardless of your size,” he said.
Hart often leads teams called in to negotiate with the cybercriminals who are making ransom demands. He goes on the offense, reaching out to the criminals to start negotiations.
“It’s about gathering intel. We need to find out what they have of yours and what they want from you,” he said. “We like to delay or prevent harassment by reaching out first. If you don’t contact them, they will aggressively email your leadership and your employees. If you ignore them, they will post your company information on a leak site and the news gets out. You can delay that leak by contacting them,” he said.
The panel reminded lawyers that prevention and preparation are key to surviving a cyberattack. Insurance coverage and planning can help defend a business from an attack and help the business survive the fallout.
