It is now widely reported that a foreign ransomware gang recently exploited a previously unknown vulnerability in Progress Software’s managed file transfer solution, MOVEit Transfer, to steal information from databases using that product. As companies and the authorities continue to evaluate the extent of the problem, many financial institutions recently have been notified that they have been indirect victims of this cyber incident because their third-party vendors used MOVEit to send their sensitive information. We are working with a number of financial institutions, both large and small, to address the fallout from that exploitation, including with respect to regulatory, securities, and customer notification issues. We encourage all financial institutions to confirm internally and with their third-party vendors that they were not impacted by the MOVEit attack.
We also routinely advise financial institutions of all sizes, and their incident response teams, regarding a broad spectrum of other cyber threats to help mitigate their risks from such threats. Below is a summary of some cyber-related guidance that we’ve recently provided to our clients, both before and after they experienced a cyber incident.
- Governance. Establishing appropriate cyber-related governance structures, including Board oversight mechanisms and incident response policies.
- Cybersecurity Awareness. Encouraging institutions to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber intelligence sharing community, as well as other comparable organizations, to enhance their cybersecurity awareness.
- Effective Training. Conducting effective training to ensure that directors and employees understand their specific responsibilities and regulatory expectations, including those described in Cybersecurity 101: A Resource Guide for Financial Sector Executives, from the Conference of State Bank Supervisors.
- Third-Party Agreements. Reviewing third-party agreements, including core processing agreements, to ensure that they mandate appropriate cyber expectations, and describe responsibilities following any cyber incident.
- Sheltered Harbor. Evaluating the need to join Sheltered Harbor, a not-for-profit, financial industry-led data vaulting initiative that was established to enhance financial sector stability and resiliency.
- Cybersecurity Insurance. Appropriately notifying cybersecurity insurance providers and maximizing insurance coverage resources, such as breach coaches and forensic firms.
- Internal Investigations. Conducting internal investigations to determine whether any corrective or disciplinary actions were warranted.
- Regulators. Notifying regulators of cyber incidents and any related corrective actions.
- Law Enforcement. Filing Suspicious Activity Reports and, as necessary, coordinating with law enforcement agencies to help reclaim lost funds.
- Required Notifications & Disclosures. Providing any necessary customer notifications, which are fact-specific and dependent on the type of exfiltrated data and the location of impacted individuals. Also determining the extent to which disclosures may be required for publicly-traded institutions.
- Public Relations. Developing internal and external public relations templates, which can be tailored to unique circumstances, being sensitive to the rapidity of communications in the social media era.
As the MOVEit situation demonstrated, every cyber incident is unique and requires institutions to work with their counsel, and other service providers, to resolve the incident in a manner that comports with applicable law, as well as the expectations of customers, regulators, and other stakeholders. Preparation and a speedy response are paramount.