The Colonial Pipeline and JBS ransomware attacks received extensive media attention in recent weeks. Ransomware is a type of malware that effectively locks victims out of their own networks. The threat actors demand money (often in cryptocurrency) and threaten to publish sensitive information gleaned from the attack, or withhold the encryption key needed to “unlock” the network if they are not paid. Ransomware attacks a victim’s entire operating system, disabling their access to e-mail, HR systems, and their website.
Like other industries, banks are not immune from ransomware attacks. Ransomware is far more widespread than most businesses realize—10% of all cyberattacks are now ransomware attacks. The average cost of a ransomware attack is over $300,000, and can climb into the millions.
The recent attacks prompted the Department of Justice to create a Ransomware and Digital Extortion Task Force and caused White House Deputy National Security Adviser Anne Neuberger to issue a ransomware memorandum, urging companies to harden their cyber defenses.
Although these developments are disquieting, they are no reason to panic. Proper planning can help mitigate the impact of a ransomware attack. To prepare, banks should consider taking these initial steps prior to an attack:
- Evaluate your insurance: Do not assume you are safe because you have purchased cyber insurance. Your cyber insurance policy may not cover you in the event of a ransomware attack. It likely does not, because ransomware events are frequently excluded from coverage, and they are only insured if the bank obtains a separate (ransomware) policy.
- Assess your information security policy (ISP) and controls. Although you cannot prevent all attacks, a strong policy and reasonable controls can mitigate both the likelihood and impact of such an event. Cybersecurity is not revenue producing, but it might be revenue saving.
- Maintain backups of your important data. Backups are an effective way to recover after a ransomware event.
- Provide training to your employees. Cybersecurity awareness training can mitigate the impact of a ransomware attack, or prevent an attempted attack from succeeding.
- Prepare an incident response plan: Many banks and businesses fail to consider what to do when the worst occurs. Who are you going to call first (and second and third)? How are you going to contact employees and other stakeholders, particularly if you no longer have control over, or access to, your computer network? Who manages your incident response team? Consider what you need in a comprehensive incident response plan and then routinely update that plan.
- Address your bank’s cybersecurity with the Board of Directors and appropriate committees, such as the risk committee. Educating the Board on the importance of appropriate defenses is important to ensuring that the institution is devoting sufficient resources to defending against cyberattacks.
We Can Help You
Each of these initial steps is crucial to surviving a cyberattack. Your customer’s funds and goodwill are at risk, and we are here to help you take steps to preserve them. If you want to learn more, or have questions or concerns about your own cyber preparedness, contact us.
Justin C. Steffen is a nationally recognized FinTech and cryptocurrency attorney who helps financial institutions navigate the legal and regulatory obstacles to innovation. Justin regularly advises clients on the intersection of technology and the law, including on issues related to financial privacy, ransomware, and cybersecurity.