Cyber Governance: The Pressure Point in Ransomware Incidents

Ransomware and cyber extortion incidents have evolved from largely technical events into acute governance crises. While the initial breach often sits with IT and security teams, the most consequential decisions - those carrying legal, regulatory, and reputational risk - sit squarely at board level. In that moment, cyber governance becomes the critical pressure point.

Recent incidents have brought renewed scrutiny to cyber governance frameworks and the response of a board to ransomware incidents. The recent ShinyHunters breach of the Canvas Learning Management System provides a stark illustration.

As an online system relied upon by thousands of schools and universities to deliver teaching, assessment and communication at scale, the consequences of the incident were not confined to the digital environment. The disruption impaired core educational functions, particularly over critical periods for examinations and coursework submission, demonstrating the extent to which operational continuity is dependent on the resilience of underlying digital infrastructure.

The response itself by Instructure, the parent company of Canvas, attracted significant scrutiny. In the days following the incident, Instructure’s leadership issued a public apology, acknowledging both the disruption caused and shortcomings in the manner in which the incident had been managed and communicated. Instructure accepted that it had failed to provide timely and consistent updates to affected stakeholders, which drew criticism not merely at a technical level, but as a matter of governance oversight and accountability.

From breach to boardroom

In the early stages of a ransomware attack, the focus is typically on technical containment, digital forensic investigation, and business continuity. However, escalation is rapid. Questions soon arise that cannot be resolved through technical expertise alone:

• Should negotiations be considered with the threat actor? What the pros and cons of negotiation?
• Should a ransom be paid, and if so, on what basis and by what mechanism?
• What disclosures are required, to whom, and when?
• How should competing stakeholder interests be balanced?
• To what extent does the incident trigger regulatory scrutiny or parallel litigation risk?

These are fundamentally governance questions. They require the exercise of judgement by directors operating in an information deficit, often within compressed timeframes and with incomplete understanding of the extent and duration of the impact.

The decision-making burden on directors

Directors are expected to act in the best interests of the company, to exercise reasonable care, skill, and diligence, and to ensure appropriate oversight of risk. In a ransomware attack, these duties are uniquely tested in an acute and multi-faceted way.

Decision-making challenges include:

• Information asymmetry: Boards must make decisions based on rapidly evolving technical information that is often not fully understood at director level.
• Time pressure: Decisions around notification, containment and response cannot be deferred. Delay may exacerbate loss or regulatory exposure.
• Conflicting imperatives: Legal, moral/ethical, commercial, operational, and reputational considerations may point in different directions.
• Hindsight scrutiny: Decisions taken in crisis are frequently revisited with the benefit of full information, through regulatory investigations or subsequent litigation.

It is within this environment that governance frameworks are validated or found wanting.

Cyber governance as a risk mitigant

Effective cyber governance is not limited to policies and protocols. It is reflected in the board’s preparedness to navigate the decision-making process in real time.

Key indicators of robust governance include:

• Clear escalation pathways between management and the board.
• Defined roles and responsibilities during incident response.
• Pre-agreed decision frameworks for issues such as threat actor engagement, strategic negotiation and external communications.
• Board familiarity with cyber risk, including realistic scenario-based training.
• Integration of legal and insurance considerations into incident response planning.

Where these elements are absent, decision-making can become reactive, fragmented, and difficult to defend after the fact.

The intersection with D&O exposure

Ransomware incidents are leading to downstream claims framed not merely as cyber failures, but rather as governance failures. This may include:

• Allegations that the board failed to implement adequate oversight of cyber risk.
• Criticism of decisions taken during the incident response process.
• Employee, shareholder, or stakeholder actions linked to inadequate disclosure, market impact, or reputational harm.
• Regulatory scrutiny of the company’s governance processes.

In this context, the distinction between a “cyber event” and a “D&O situation” quickly dissolves. The focus shifts from how the breach occurred to how it was met, managed, and contained. The novelty of cyber risk events has been overtaken by acceptance that cyber perils are an enduring part of the risk landscape and must be planned for.

Practical realities in claims scenarios

In practice, disputes at the intersection of cyber and D&O often turn on:

• The quality and timing of board-level decisions.
• The extent to which relevant risks were identified and escalated.
• Documented reasoning which underpins key decisions.
• Alignment (or misalignment) with established governance frameworks.

These issues are rarely assessed in isolation. They are considered against the broader factual matrix of the incident, often with the benefit of hindsight and forensic reconstruction.

Conclusion

Ransomware attacks expose more than technical vulnerabilities. They test the resilience of corporate governance in real time, under intense pressure and often in the public eye.

For boards, the challenge lies not only in responding to the incident, but in doing so in a manner that is coherent, defensible, and consistent with individual directors’ duties.

As cyber threats continue to evolve, so too does scrutiny on how organisations are governed in moments of crisis. The ability to withstand that scrutiny is increasingly shaped by what happens at the intersection of cyber response and boardroom decision-making.

Complex challenges of this nature seldom fall neatly within a single discipline. They require a coordinated approach that brings together cyber incident response, regulatory and litigation considerations, and director-level risk exposure under D&O frameworks.

It is at this intersection, often under significant time pressure, that the quality of governance is most accurately tested, and where the consequences of decision-making most sharply materialise.

How Clyde & Co can help

Clyde & Co supports clients in designing and delivering tailored cyber tabletop and simulation exercises that are legally accurate, commercially realistic and governance focused. Our practical approach integrates legal, regulatory, insurance, crisis management and reputational considerations, mirroring the complexity of real-world incidents.

Exercises are customised to an organisation’s sector, risk profile and regulatory environment, and structured to align with the expectations of both the Joint Standard on Cyber Security and Cyber Resilience and the King V Code. Participants leave not only with greater confidence, but with lasting insights into decision-making gaps, escalation pathways and governance enhancements.