Imagine your data center is non-operational. Online and mobile banking and bill pay are down. It’s been days, and you have no idea when they will be working again.
That’s the situation facing at least one of the 60 credit unions impacted by a ransomware attack on a third-party disaster recovery/business continuity solution provider. The company was targeted with ransomware after failing to patch a vulnerability known as Citrix Bleed that was announced October 10, according to American Banker. (It was such a significant threat that even the FBI issued warnings about it.)
What happened?
Ransomware attackers successfully infiltrated the BCP company – but the problems didn’t stop there. The attack also impacted another unit of the parent company, a data processor for credit unions, leading to widespread outages.
Members are not happy. Bills are going unpaid. They can’t transfer funds. The credit unions are doing their best, posting updates to keep members informed, but they can’t promise when service will be restored. (In good news, so far the company says that member data was not impacted by the breach.)
Guarding Against Third-Party Ransomware Attacks
Ransomware attacks are a growing threat, but they aren’t necessarily unavoidable. While there is no guarantee that a company won’t be hit by ransomware or other cyber threats, financial institutions can reduce the risk with strong vendor management controls and oversight.
Ongoing cyber hygiene and due diligence is a must. Areas to consider include:
Patch management. Failing to patch vulnerabilities contributes to 60 percent of all cyber breaches, according to CSO. Financial institutions and their third-party vendors need strong patch management programs. That includes an inventory of assets, knowing which devices are connected to your network, a plan to ensure that all devices and software programs are regularly updated, and a log to demonstrate when patches are installed.
Related: Six Common IT Exam Issues—and the Controls You Need to Address Them
Security awareness training. The vast majority of ransomware attacks are due to human error. An employee clicks on a link or opens an attachment in a phishing email. They visit a questionable website. Security awareness training is essential to preventing these dangerous mistakes.
Your financial institution should conduct regular security awareness training, and so should your third-party vendors, especially the critical ones. When conducting due diligence, verify that your vendors are on top security awareness training. Failing to stay current with security training is a red flag.
Cyber monitoring. Vendors aren’t always quick to report problems, and sometimes they don’t even know they have one. Vendor cybersecurity monitoring collects and assesses publicly available information, including information on the dark web, to detect threats and vulnerabilities in real time. That gives you and your vendor the ability to take action to prevent breaches.
Vendor third-party risk management (TPRM) programs. Your vendors have vendors, and issues with those fourth-party vendors can lead to problems at your institution. It’s not feasible to assess the safety and reliability of all of your vendors’ vendors (and their vendors), and regulators know this. That’s why they expect you to carefully review your vendors’ TPRM programs. You want to make sure they are doing everything your institution would do to vet and monitor vendors – and take action if a vendor isn’t delivering on its promises.
Related: How to Review Critical Vendors' Cybersecurity
Access to documentation via your contracts. You can’t assess the strength of a third-party vendor’s cyber controls without documentation. When drafting contracts and agreements, make sure you include provisions requiring your third-party vendor to regularly supply documentation of essential controls and meet expectations for specific cybersecurity controls. Then take the time to review the documentation, identify potential weaknesses and address them both internally and with your vendor. If something misses the mark, speak up.
Business continuity plans. How will your vendor handle the disruption of a breach? Has it considered the impact of different system outages? Does it have back up plans? Documentation verifying your vendor’s business continuity plan gives you an idea of how well prepared a vendor is to respond to a disruption – whether it’s due to a ransomware attack or a hurricane. There should be a plan for restoring critical functions with specific deadlines for getting systems up and running again. This is known as maximum allowable downtime (MAD).
Related: Third-Party Provider Data Breaches: 3 Lessons Learned
These are just a few examples of the controls a financial institution needs to protect itself from the threat of disruptions and data loss when a third-party vendor falls victim to a ransomware attack.
Want a closer look at managing vendor cyber risk?
Download our free whitepaper
Not One & Done: Making the Case for Continuous Monitoring for Third-Party Cyber Risk
Subscribe to the Nsight Blog
Share this
Finastra, World’s Third-Largest Fintech, Responds to Ransomware Attack
Cloudy with a Chance of Data Loss
