All things cyber — whether risk, attack, crime or resilience — are never far from the headlines as companies of all shapes and sizes around the world remain vulnerable to attack in the online world.
In this environment, a company’s reputation and its good customer outcomes will be under threat in the event of a failure of cyber resilience; and one of the most prevalent and potentially concerning tests of that cyber resilience is that of ransomware.
There are different types of ransomware, all of which seek to prevent a firm or an individual from using their IT systems and will ask for something (usually payment of a ransom) to be done before access will be restored. Worse yet, there is of course no guarantee that paying the fine or doing what the ransomware attacker demands will restore full access to all IT systems, data or files.
All too many firms have found that critical files — often containing client data – have been encrypted as part of an attack and large amounts of money are demanded for restoration. In this instance, encryption is used as a weapon; and it can be practically impossible to reverse engineer the encryption or “crack” the files without the original encryption key — which, of course, is deliberately withheld by the cyber-attackers.
What had previously often been seen as simply an IT issue has become an area of great concern for the risk and compliance functions for all types of firms and companies around the world. Likewise, regulatory agencies around the world are trying to compel firms to shore up their resilience against these cyber-attacks.
The regulatory stance is typified by the U.K.’s Financial Conduct Authority (FCA), which has stated its goal is to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.” That is not to say that regulators expect firms to be impervious. In a November 2018 speech on cyber- and technology-resilience, Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA, made clear that “…the FCA does not expect ‘zero-failure.’ A point that is explicitly made in July’s FCA, Bank of England discussion paper on operational resilience. In that we talk about setting ‘impact tolerances’ and the ability of firms to ‘recover and learn from operational disruptions.’”
Defending Against Ransomware Attacks
Risk and compliance officers do not need to become technological experts overnight, but they do need to ensure that cyber risks are effectively identified, managed, mitigated, monitored and reported on within their firm’s corporate governance framework.
For some compliance officers, cyber risk may be well outside their comfort zone; however, it not only needs to be considered, but there is evidence that simple steps implemented rigorously can go a long way toward protecting a firm and its customers.
Cybersecurity has been the subject of numerous national and supranational policy statements. In October 2017, the Financial Stability Board, an international body made up of regulatory agencies from around the globe, noted that “effective cybersecurity requires a strategic, forward- looking, fluid, and proactive approach. It was also noted that it is not sufficient to simply look to past incidents and known risks, but that one must evaluate potential future threats. At the same time, participants stated that up to 90% of threats can be mitigated by basic cybersecurity hygiene.” Any basic cybersecurity hygiene aimed at protecting businesses from ransomware attacks should make full use of the wide range of resources available on cyber resilience, IT security and protecting against malware attacks.
Good advice on the general prevention of ransomware attacks centers on making sure that a company’s confidential, sensitive client or other important files are securely and regularly backed up in a remote, unconnected storage facility. As with other aspects of compliance, the basics — done consistently and well — will go a long way toward providing companies and their clients with a reasonable level of cyber resilience.
Some specific good and better practice recommendations on preventing ransomware attacks include:
- Checking the company has basic protection against malware that is up to date – malware being an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems;
- Ensuring all devices have the latest security patches;
- Removing all unnecessary user accounts (such as guest and administrator accounts) and restricting user privileges to only what is currently required;
- Removing or disabling any unnecessary software to reduce the number of potential routes of entry available to ransomware attackers;
- Segmenting the network so that if an attack does take place, the damage suffered is limited;
- Ensuring the firm has an off-line and off-site backup of all critical systems (with the aim of protecting any backup from also being encrypted as part of an attack); and
- Training staff to recognize a ransomware attack if it does manage to get past any anti-malware protection already in place.
If the firm has been a victim of a ransomware attack, equally good advice is to use all possible means to regain access to IT systems and client files as swiftly and cleanly as possible, which may well mean paying any ransom demanded as a matter of urgency. The follow-up action is then to learn all possible lessons to prevent a recurrence of the attack.
Some specific good and better practice recommendations for recovering from a ransomware attack include:
- Ensuring the firm has an effective backup policy and process in place that has been regularly tested as working. A key element of any effectiveness testing is to consider how the firm can seek to ensure that any backup will not also be maliciously encrypted in the event of a successful ransomware attack;
- Including cyber-attack scenarios in all business and disaster recovery plans and, again, testing regularly to ensure they work as planned; and
- Making sure that once any ransomware has been removed, a full security scan and penetration test of all systems and network are carried out — if attackers were able to get ransomware onto the firm’s systems, they may have gained other access that has not yet been detected.
Cybersecurity has become a very real regulatory risk; and firms around the world are on notice about the need to identify, manage and, whenever feasible, mitigate cyber risks — including ransomware.
As part of a firm’s overarching approach, the compliance function needs to ensure that cyber risks are expressly included in the range of risks considered, and that the board is prepared to discuss the actions taken to ensure that all reasonable steps have been taken to embed cyber resilience throughout the firm.