Ransomware Risk Management: Defending Your FI Against Cyber Attacks

Ransomware — a type of malware that encrypts an organization’s data or locks them out of their systems — continues to be a significant threat to financial institutions (FIs), wreaking havoc on their business continuity, operations, vendor management program, and finances. Ransomware hit record numbers in Q1 2025, with more than 2,000 victims.  The average ransomware payment reached over $500,000 in Q4, a 16% increase from the previous quarter.

In this post, we’ll discuss how to protect your FI against ransomware and what to do if you or one of your vendors experiences an attack.

Related: A Cybersecurity Assessment Tool Designed for Financial Institutions

How to protect your FI against ransomware

In December 2023, ransomware attackers infiltrated a third-party business continuity planning and disaster recovery provider. The incident quickly snowballed, impacting another unit of the vendor’s parent company, a data processor for credit unions. This led to widespread outages, non-operational data centers, interrupted online and mobile banking services, and many unhappy members.

How can you protect your FI against ransomware attacks like the one described? While not entirely unavoidable, there are some key steps you can take to mitigate ransomware-related risks.  

• Stay on top of the latest information. Ransomware attacks — from artificial intelligence-powered social engineering to cloud infrastructure exploitation — are becoming more sophisticated. Know the latest cyber threats and share updates with organizational stakeholders.
• Train staff to recognize ransomware activity. Bad actors can access systems when employees click links that download software onto their computers. Phishing emails are becoming increasingly convincing, so ensure your employees can properly identify and report them.
• Keep software updated and properly configured. The attackers in the example exploited a known vulnerability, Citrix Bleed, to install ransomware. Don't wait to address risk areas — stay proactive.
• Monitor your system for abnormal activity. Remote employees often use Remote Desktop Protocol (RDP) to work from home, a potential point of entry for ransomware. Monitor your network for odd login activity. Criminals will use brute force attacks, such as repeatedly logging in with numerous passwords and usernames or using purchased credentials to infiltrate your systems.
• Keep your backup and disaster recovery plans updated. A single incident can quickly escalate into financial, operational, and compliance issues, underscoring the importance of business continuity management and operational resilience.
• Encrypt your sensitive data. If a breach occurs, hackers can't use your data if it's encrypted.
• Consider cyber or business interruption insurance. While it's unpleasant to think about ransomware becoming a reality for your institution, being prepared is better than being sorry, as the financial losses from a ransomware incident can add up.
• Check cybersecurity and vendor monitoring systems. Integrate threat intelligence and continuous monitoring into your cybersecurity and vendor risk programs to detect early signs of ransomware, including vulnerabilities in third-party vendors.

Related: Will Your Vendors Fall Victim to Ransomware and Other Cybersecurity Threats?

So, you’ve experienced a ransomware attack — here’s what to do next

It happened: You or one of your financial institution’s critical third-party vendors has fallen victim to ransomware.

Below is a framework that applies to both internal incidents and third-party ransomware events.

1. Contain the threat 

Ransomware attacks — internal and external — can spread quickly. Isolate the infected system to prevent the malware from spreading laterally across your network. Disconnect compromised endpoints and begin the incident response process.

If a vendor falls victim to a ransomware attack, evaluate your connection. If you use software as a service (SaaS), you probably don’t have to sever it. However, if a vendor system integrates with your systems, you’ll likely want to disconnect and even shut down your machines.

2. Assess the scope

Regardless of the incident’s source, determining what was affected is critical:

• Which systems, functions, or departments are down?
• What sensitive data, if any, was accessed or encrypted?
• Is the attack ongoing, or has it been contained?

If a third party experiences an attack, request a detailed formal incident report from the vendor to understand their mitigation and recovery process.

Related: Incident Tracking: 4 Benefits & 5 Best Practices

3. Contact legal counsel

Legal guidance is essential for both internal and external ransomware incidents. Before informing the authorities, contact legal counsel.

Financial institutions and their employees are increasingly edgy when it comes to cybersecurity, and it’s possible a staff member could overreact to a false positive. Your FI doesn’t want to draw attention to a vendor breach if the vendor’s ransomware issue doesn’t directly impact your FI.

4. Activate business continuity plans

Ransomware can simultaneously impact multiple critical systems. A strong business continuity plan (BCP) should account for this by ensuring a coordinated response across IT, cybersecurity, compliance, legal, and business units.

While the BCP doesn’t need to be event-specific, it must integrate with your incident response plan, disaster recovery, and communications strategy to address data loss, service delays, and other potential impacts. Recovery priorities may shift during an attack, making scenario testing essential to ensure your BCP holds up under pressure.

Related: Does Your BCP Have a BCP?

5. Communicate with your customers

Breaches make headlines, so your FI needs to be prepared to answer consumer questions about what happened. In the immediate phase, ensure your customer service representatives can accurately respond to customer or member calls.

6. Consult your vendors and your FI's cyber insurance policies

Don’t assume general liability or business interruption insurance covers cyber events. If you have cyber coverage, review its scope carefully, as it may exclude vendor breaches or cyber terrorism. Know whether you have first-party coverage (direct costs like notifications, business interruption, and extortion) or third-party coverage (claims from customers, partners, or vendors).

7. Enhance your cybersecurity and vendor monitoring programs

Too often, FIs don’t implement what they have learned from incidents. After a ransomware incident:

• Internal source: Conduct a root cause analysis, patch vulnerabilities, and strengthen endpoint detection and response (EDR) systems.
• External source: Reevaluate vendor due diligence and require vendors to demonstrate cybersecurity maturity (e.g., regular risk assessments, certifications, recovery testing).
  
  

Do you know how to manage incidents to minimize downtime, mitigate risk, and ensure regulatory compliance and operational resilience?

Ensure you’re following best practices with our incident response plan checklist.