The stories about ransomware never seem to end. A travel company paid $4.5 million in bitcoin (negotiated down from $10 million) to regain access to its data. Fitness company Garmin reportedly paid attackers $10 million. Travelex, the foreign currency exchange company, is believed to have paid $2.3 million after attackers took down its network for weeks in January, contributing to the need for major financial restructuring and layoffs earlier this year.
The average ransom payment is now $178,245 compared to $36,295 a year ago, according to ransomware response company Coveware.
Why the rapid rise? Criminals are now exfiltrating data before blocking access to it. The crooks then threaten to publicly release sensitive data so that even companies with good backup systems are pressured to pay up.
What can a financial institution do to avoid ransomware and its consequences? The answer begins with a risk assessment.
Managing Cybersecurity Risk
When evaluating the cybersecurity risk posed by ransomware, the best place to start is the FFIEC’s Cybersecurity Assessment Tool (CAT). The CAT is designed to help FIs identify cyber risks and evaluate their preparedness.
By answering the questions and assessing the results, FIs can understand regulatory expectations, recognize cyber risk, and then assess and mitigate those risks. This holds true for ransomware.
Ransomware is a type of malware, which is short for malicious software. The FFIEC CAT mentions malware 11 times in its section on cybersecurity controls. It lets FIs see where their malware controls fit into the matrix of maturity levels. It also maps questions to FFIEC Information Security Booklet requirements.
Where do preventative cyber controls for malware rank?
Baseline maturity
- Up to date antivirus and anti-malware tools are used.
- Antivirus and anti-malware tools are used to detect attacks.
- E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links).
Evolving maturity
- Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices).
- Antivirus and anti-malware tools are updated automatically.
- Containment and mitigation strategies are developed for multiple incident types (e.g., DDoS, malware).
Intermediate maturity
- E-mails and attachments are automatically scanned to detect malware and are blocked when malware is present.
Advanced maturity
- Customer authentication for high-risk transactions includes methods to prevent malware and man-in-the-middle attacks (e.g., using visual transaction signing).
Innovative maturity
- A centralized end-point management tool provides a fully integrated patch, configuration, and vulnerability management, while also being able to detect malware upon arrival to prevent an exploit.
- E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links).
- User tasks and content (e.g., opening an e-mail attachment) are automatically isolated in a secure container or virtual environment so that malware can be analyzed but cannot access vital data, end-point operating systems, or applications on the institution’s network.
Those are just the areas of the CAT specific to malware. The tool takes a comprehensive look at your total cyber maturity, showing areas of weakness that could invite ransomware. Tools are available to simplify the process.
The Other Risks of Ransomware
Cybersecurity and ransomware go together like cops and robbers—but cybersecurity is just part of the risk picture. There are other areas to consider:
Business continuity/resiliency. Does your financial institution have the backup systems it needs for resilience when it comes to ransomware and other cyberattacks? Is your incident response plan robust? Has it been tested?
Financial risk. Is your FI prepared for the financial consequences if ransomware caused widespread data loss, a major data breach, or gave you no choice but to pay the ransom?
Operational risk. When Garmin was attacked with ransomware, its online servers weren’t available. That meant users of its fitness devices weren’t able to use their full functionality.
Vendor management. The travel company loss risked exposing more than its own data. It also held information about Fortune 500 and other clients such as AXA Equitable, Abbot Laboratories, AIG, Amazon, Boston Scientific, Facebook, J&J, SONOCO, and Estee Lauder, according to reports.
It’s yet another reminder that it’s not enough to protect your own network. If critical vendors hold sensitive data and/or conduct functions essential to your operations, you need to know that they are also resilient. Good vendor management is a must.
Reputation risk. It’s hard to keep a ransomware attack a secret, especially when it disrupts systems. When ransomware hit fintech firm Finastra earlier this year, it had to take many of its servers offline when it detected suspicious activity. The move prevented further ransomware infiltration of its systems, but it also disrupted customers. Once word gets out, everyone will want to know if you paid up and how much.
7 Risk Management Tips for Avoiding Ransomware & Its Consequences
- Stay on top of the latest information. Changes like the recent threats to release information if the ransom isn’t paid may change your cyber risk assessments and mitigation strategies. Make sure your FI is aware of new cyber threats and working with other FIs to share information.
- Train staff to recognize phishing attempts. Ransomware often gains access to systems when employees click on links that then surreptitiously download software onto their computers. These emails are looking more and more like legitimate emails, making staff training a must. Stay on top of the latest phishing schemes and make sure your employees are aware of them.
- Keep software updated and properly configured. Just in case you needed yet another reason to regularly update and patch software, attackers exploit known
vulnerabilities to install ransomware. - Monitor your system for abnormal activity. Employees may be using remote desktop protocol (RDP) to work-from-home. While it’s a great pandemic workaround, it’s also a potential point of entry for ransomware. Make sure you are monitoring your network for odd login activity. Criminals will use brute force attacks (logging in repeatedly with numerous passwords and usernames) or using purchased credentials.
- Keep your backup and disaster recovery plans up to date. Business continuity management and operational resiliency are regulatory requirements, but they are also essential to defending against the impact of ransomware. A single employee clicking a bad link can infect a system, making it necessary to be prepared to respond to an attack.
- Encrypt your sensitive data. Make sure that even if hackers access your information, they won’t be able to use it.
- Consider cyber or business interruption insurance. The financial loss from a ransomware attack can be substantial.
Don’t get caught off guard by ransomware. Make sure you assess this risk to your FI and implement and monitor controls to keep your systems and data safe.
If you’re interested in learning more about cyber risk best practices:
Subscribe to the Nsight Blog
Share this
Finastra, World’s Third-Largest Fintech, Responds to Ransomware Attack
Misinterpreted Cyber Guidance & 4 Tips for Avoiding the Same Mistake
