You just got the call every financial institution’s CIO dreads. Now what?

It’s 4 a.m. You’ve set your phone to do not disturb, but a call buzzes regardless. And even before you pick up, you know what the caller is going to tell you: Cybercriminals have launched a ransomware attack on your financial institution.

What happens after you get the call and more importantly, how can you take action to protect your institution against ransomware attacks? Keep reading to find out.

What happens during a ransomware attack on a financial institution?

If you’re a financial institution CIO or CISO, you’ll be charged with leading your institution’s response to a ransomware attack. You’re the quarterback who will need to assess the situation, take action to stop it and then figure out what went wrong and how you can prevent another attack.

In broad strokes, here’s your roadmap for what to do after you learn a ransomware attack is underway:

Establish the facts about the attack

Your first job is to find out exactly what’s happening. You might be in the middle of an active data breach, but you could also have caught an early warning sign that someone has compromised your systems before a full-blown attack is actually underway.

Find out what your team is seeing. Has an unauthorized person simply gotten login credentials to your systems? Or are you already seeing reports of degraded services, team members unable to access critical data or even ransom messages?

Activate your incident response plan

Once you decide you’re facing a critical threat, it’s time to activate your incident response plan. Your plan should involve both a series of steps to respond to the immediate threat and actions to manage the broader crisis you’ll face in the event of a successful breach, including PR issues and weighing whether to make a ransom payment.

• Lock down your systems: Your team should immediately secure any uncompromised systems to limit the spread of the attack. If core systems have already been compromised, you’ll probably have received a ransom message by now.
• Coordinate with stakeholders: Your executive, legal and comms teams will need to coordinate on key decisions, including whether to make a ransom payment, if you should involve your insurance company and how to break the news of the attack to your customers, partners and regulatory agencies.
• Restore system access: Regardless of whether you make a ransom payment, you’ll have to reboot and re-secure your systems until you are ready to resume normal operations.

Do a postmortem cybersecurity analysis

Once the immediate threat is over, it’s time to figure out what went wrong. This involves doing a postmortem analysis that evaluates your existing controls and security measures in light of the attack to identify gaps or oversights that helped allow the breach to occur.

During this time, you’ll also need to maintain active communication with your customers to explain what happened and assure them that their data is once again secure. Your insurance company will also likely conduct a postmortem of its own, in part to determine the validity of your insurance claim.

How does a ransomware attack cause damage to an organization like yours?

No financial institution wants to talk publicly about the harm caused by a cybersecurity incident like a ransomware attack. But in private, leaders will acknowledge that a successful attack can lead to financial, reputational and regulatory damages, as well as an increased likelihood of being targeted again.

Financial damages

The average financial cost of a successful ransomware attack on a financial institution is roughly $6 million dollars. This may be small potatoes for the largest national institutions, but many regional or mid-sized institutions would struggle to overcome that kind of unexpected hit to their books.

Reputational harm

Mid-sized financial institutions typically win customers by offering superior service and cultivating a sense of trust and community. A ransomware attack can shatter that and push even loyal customers to consider if they would be safer moving their accounts to a large national institution.

Regulatory consequences

Regulators understand that no business can build a perfect barrier against cybercriminals. But you are certainly expected to do what you can. Regulators will not look kindly at CIOs or CISOs who haven’t made a good faith effort to implement appropriate controls and a mature cybersecurity program — and crucially, will also be less likely to approve a merger or a new product offering.

Insurance investigation

If you filed an insurance claim as a result of the attack, you should expect your insurance carrier to conduct its own forensic review as well. You’ll need to provide detailed documentation of all your controls and security measures for your insurance company to review; if those prove substandard, you may risk your policy being voided.

Repeat or copycat attacks

Unfortunately, being the victim of a successful ransomware attack makes it more likely you’ll be targeted again in the future. The original hackers could try again, but after word of the attack gets out, you may also find yourself dealing with would-be copycats. Regulators know this pattern and will view your institution as being at higher risk in their own assessments.

How should financial institutions better protect themselves against a ransomware attack?

To better protect their financial institution, CIOs or CISOs should be sure their cybersecurity defenses include the following five steps:

1. Have a clear incident response plan

You will be able to react faster and more effectively to a ransomware attack or other cybersecurity incident if you already have an incident response plan in place. A good incident response plan doesn’t need to be super granular but should outline the high-level steps you’ll need to take after an attack starts, including who to call and what to do.  

Your plan should cover each phase of an attack: Detect, identify, respond, recover and postmortem.

2. Implement 24/7 holistic monitoring

It’s no longer enough to have an in-house IT team that monitors your network for signs of an attack during the day and then goes home in the evening. To reduce your risk of suffering a successful attack that begins when no one is watching, you should implement 24/7 active monitoring. This can be done entirely by a third-party cybersecurity firm, but you can also experiment with a hybrid approach where your IT team handles monitoring during work hours and then a third-party takes over after they clock out.

3. Practice your response with regular tabletop exercises

Tabletop exercises are an opportunity to practice your incident response plan. During a tabletop exercise, you’ll be able to run through each stage of your response with your team, so you’ll feel more confident and capable should an actual incident occur.

4. Test your controls and defenses

In addition to tabletop exercises, you should also regularly test your systems and controls to see whether they can withstand an attempted attack. Do both external penetration testing to assess your perimeter defenses and internal penetration testing to see how vulnerable you might be to someone who has already gained system login capabilities.

You can also work with a third-party cybersecurity firm to conduct a simulated ransomware attack, which will allow you to see how your team and controls stand up in that specific situation.

5. Follow a cybersecurity framework

Financial institutions will typically benefit from aligning with a security framework like NIST CSF. This makes it easier to identify gaps, establish due diligence for regulators and implement a holistic, defense-in-depth type approach. You should also review appropriate CIS benchmarks.

How Wipfli can help

We advise financial institutions on risk management, technology, cybersecurity, performance and growth. Let’s talk about the challenges you face and how we can help you solve them. Start a conversation.

Let’s make your institution stronger

Read more

• Financial institutions need proactive general ledger certification
• Nation-state actors represent a growing cybersecurity threat
• How should financial institutions respond to the federal compliance pullback?