Ransomware attacks are occurring with more significant financial impacts and greater frequency. Financial institutions (FIs), in particular, are one of the most attractive ransomware targets due to the value of the assets managed and the criticality of the data involved. In fact, according to Sophos’ recent survey, 55% of financial service firms were victims of at least one ransomware attack in 2021—a 62% rise in just one year.
FIs are also vulnerable because they rely on hundreds, thousands or even hundreds of thousands of third-party vendors—from call centers to cloud providers—who may have access to their infrastructure or network, and it was projected that 60% of 2022’s security events would stem from third parties.
Because of this reliance on third parties, FIs can be affected by ransomware in two different ways: The FI’s vendor can be compromised or controlled by ransomware, affecting its ability to provide services to the FI; or the attack is directed at the FI using a vendor as the means to infiltrate its perimeter and assets. After this is accomplished, a ransomware attack can cause severe damage to an FI’s operations, including compromising its:
• Business Continuity: If a managed service provider has its data encrypted by ransomware, the loss of that data or access to it will often hamper or eliminate the FI’s ability to serve customers. Since financial firms frequently rely on each other’s systems—if one service goes down, others do as well.
• Reputation: If a ransomware attack puts customer data at risk, the FI’s customers may decide to stop doing business with them. In addition, the FI’s share price may suffer and lose value.
• Data Privacy: If sensitive data is leaked in a “double extortion” attempt, the FI may be in jeopardy for failing to meet privacy laws or other regulations.
In fact, according to the Sophos study cited above, 91% of financial services organizations hit by ransomware said the attack affected their ability to operate, while 85% stated the attack caused the organization to lose business and/or revenue.
It is not enough for FIs to strengthen their defenses. They must also ensure that their vendors’ security is equally strong. This requires action on three fronts.
Assess
Conduct an assessment to uncover the risks each vendor could potentially bring. Start by evaluating vital business areas to ascertain which ongoing operations depend on them. Next, map these according to their criticality and establish to what degree each vendor must be assessed.
This requires a granular understanding of the service, the type of data they hold, their exposure to the world (reputation) and interfaces with employees (infiltration point). It is also highly recommended that the FI devise a plan of action for a worst-case scenario for vendors deemed “most critical.”
Prevent
Determine what controls vendors have in place to reduce the probability of ransomware attacks. Then, thoroughly validate the processes and procedures within their business continuity and disaster recovery plans.
Terminate the relationship in situations where the lack of controls over the vendor’s information security management program, cloud technologies and providers used for their IT supply chain is dire (compared to expectations based on the assessment).
Detect
Proactive notifications are critical: The SEC has proposed a rule requiring FIs to report incidents within 48 hours, while the FDIC and OCC require incidents to be reported within 36 hours. FIs must keep up with regulatory requirements and ensure that their vendors do, too.
Ransomware is the result of a vulnerability discovered by the hacker before an organization, or its third parties found it. As a result, continuous monitoring of third parties is critical in detecting and mitigating such a risk. If a vulnerability is discovered during continuous motioning, the organization can ask a third party to supply a patch and fix it before it gets exploited.
However, continuous monitoring in the vast and complex risk landscape is challenging; there’s too much data. Organizations should consider how technology can help in this process. AI-driven third-party risk management (TPRM) solutions, for example, can help to streamline an operation’s data, including programs and tools, into a platform that continuously monitors and digitizes collection from numerous sources.
Conclusion
Third-party ransomware is a growing threat to businesses of all sizes and a particular threat to the financial sector. Risk managers can reduce the risk of third-party ransomware and other cybercrime by leveraging a three-step process—assess, prevent, detect—in order to ensure they stay one step ahead of bad actors.
