The stories about ransomware never seem to end. A travel company paid $4.5 million in bitcoin (negotiated down from $10 million) to regain access to its data. Fitness company Garmin reportedly paid attackers $10 million. Travelex, the foreign currency exchange company, is believed to have paid $2.3 million after attackers took down its network for weeks in January, contributing to the need for major financial restructuring and layoffs earlier this year.
The average ransom payment is now $178,245 compared to $36,295 a year ago, according to ransomware response company Coveware.
Why the rapid rise? Criminals are now exfiltrating data before blocking access to it. The crooks then threaten to publicly release sensitive data so that even companies with good backup systems are pressured to pay up.
What can a financial institution do to avoid ransomware and its consequences? The answer begins with a risk assessment.
When evaluating the cybersecurity risk posed by ransomware, the best place to start is the FFIEC’s Cybersecurity Assessment Tool (CAT). The CAT is designed to help FIs identify cyber risks and evaluate their preparedness.
By answering the questions and assessing the results, FIs can understand regulatory expectations, recognize cyber risk, and then assess and mitigate those risks. This holds true for ransomware.
Ransomware is a type of malware, which is short for malicious software. The FFIEC CAT mentions malware 11 times in its section on cybersecurity controls. It lets FIs see where their malware controls fit into the matrix of maturity levels. It also maps questions to FFIEC Information Security Booklet requirements.
Baseline maturity
Evolving maturity
Intermediate maturity
Advanced maturity
Innovative maturity
Those are just the areas of the CAT specific to malware. The tool takes a comprehensive look at your total cyber maturity, showing areas of weakness that could invite ransomware. Tools are available to simplify the process.
Cybersecurity and ransomware go together like cops and robbers—but cybersecurity is just part of the risk picture. There are other areas to consider:
Business continuity/resiliency. Does your financial institution have the backup systems it needs for resilience when it comes to ransomware and other cyberattacks? Is your incident response plan robust? Has it been tested?
Financial risk. Is your FI prepared for the financial consequences if ransomware caused widespread data loss, a major data breach, or gave you no choice but to pay the ransom?
Operational risk. When Garmin was attacked with ransomware, its online servers weren’t available. That meant users of its fitness devices weren’t able to use their full functionality.
Vendor management. The travel company loss risked exposing more than its own data. It also held information about Fortune 500 and other clients such as AXA Equitable, Abbot Laboratories, AIG, Amazon, Boston Scientific, Facebook, J&J, SONOCO, and Estee Lauder, according to reports.
It’s yet another reminder that it’s not enough to protect your own network. If critical vendors hold sensitive data and/or conduct functions essential to your operations, you need to know that they are also resilient. Good vendor management is a must.
Reputation risk. It’s hard to keep a ransomware attack a secret, especially when it disrupts systems. When ransomware hit fintech firm Finastra earlier this year, it had to take many of its servers offline when it detected suspicious activity. The move prevented further ransomware infiltration of its systems, but it also disrupted customers. Once word gets out, everyone will want to know if you paid up and how much.
Don’t get caught off guard by ransomware. Make sure you assess this risk to your FI and implement and monitor controls to keep your systems and data safe.