74% of ransomware revenue goes to Russian-linked hackers
A news story from the BBC reports that the majority of ransomware revenue is driven by Russian-linked hackers with "a huge amount of crypto-currency-based money laundering" going through Russian crypto-companies. The article also states that the cyber-attackers have written their code to prevent it from damaging files if it detects the victim's computers are located in Russia or a CIS (Commonwealth of Independent States) country. [i]
Ukrainian banks hit by cyberattacks
Banks and government agencies in Ukraine were hit by cyberattacks in an “attempt to sow confusion as part of hybrid warfare against Ukrainians” ahead of the invasion. [ii]
International conflict brings attention to cyber threats to US critical infrastructure
The Biden administration has levied sanctions on Russian financial institutions, and individuals affiliated with the Russian government. The concern is mounting that cyberattacks may be initiated as direct retaliation for U.S. action in Ukraine or as an indirect, spillover threat resulting from other attacks. [iii]
Russia and China are two of the top four countries with cyber power capabilities
The Belfer Center for Science and International Affairs of Harvard Kennedy School publishes a study and ranking of the cyber power of 30 countries. The Belfer National Cyber Power Index (NCPI) 2020 ranked The United States, China, the United Kingdom, and Russia in that order as the top four countries in the world for cyber power. You can view the full report here: National Cyber Power Index 2020 | Belfer Center for Science and International Affairs
Regulators continue to stress that cyber is the #1 threat
Regulators at multiple agencies continue to stress that cyber threats are the biggest threat facing the banking industry today. The threats are growing in both volume and complexity; something regulators have insight into at a national level.
What actions can I take to protect my institution from cyber threats?
Cybersecurity works best when it is woven into systems and processes rather than bolted on as an afterthought.
Two basic assessments of your institution’s cyber readiness include:
- IT Audits & Exams: Watch for an increasing number of findings year over year in IT audits and exams; increases in the number of vulnerabilities; or findings from past IT audits and exams that have not been resolved.
- Ransomware Self-Assessment: The Conference of State Bank Supervisors (CSBS) has published a Ransomware Self-Assessment Tool (R-SAT) to help identify gaps for protecting and recovering from a ransomware attack. It is one of several tools available to help an institution assess their cyber-readiness and is easy to use.
Two non-technology driven defenses we recommend to any institution include:
Multi-Factor Authentication: MFA is one of the best defenses you can have against ransomware and several other cyber threats. The FFIEC guidance titled Authentication and Access to Financial Institution Services and Systems advises banks to consider access points to your data network from employees, vendors, and customers. Review your institution's risk assessment for each of these three access categories, look for areas where MFA is not in use and ensure board-level review.
Board Involvement: “We’re moving IT from the backroom to the boardroom” has been a common refrain from regulators for several years when talking about cyber. Regulators want to see that the board is active in analysis and decision-making regarding the #1 risk your institution faces. Look for areas where your board has documented cyber risk discussions and documented actions are taken.
Missed opportunities in cybersecurity decision making
Corporate leaders often miss the connection between a minor decision related to cybersecurity and the potential consequences of that decision. Read more on this article by Stuart Madnick, Professor of Information Technologies, Emeritus, at the MIT Sloan School of Management Why Small Cybersecurity Decisions Can Expose Companies to Cyberattacks - WSJ
Decision-making data for Executive Officers and Board Members
Think of the large company cyber-breaches you have heard of. The executive management and boards of these companies did not intend for a cyber breach to occur. A key consideration is the “who” is involved in the decision-making; corporate boards, management, and IT professionals are tasked with keeping bad things from happening. Directors may not know what questions to ask of management; management may not grasp the severity of the risk and which measures are critically necessary; IT professionals may not grasp the firm’s business objectives and are challenged to translate technology risks into layperson’s terms which would allow the board and management to take action. Who is involved in technology decisions at your institution?
Some boards are adding directors that have solid technology credentials; others are seeking IT professionals that have a proven combination of business experience and technical skills with the ability to communicate effectively. It’s a growing challenge as there is more demand for qualified technical executives than there are qualified persons to fill the need.
With direct connections to regulators and visibility across the institutions in our community, BankOnIT experts remain current on cybersecurity risks, protective measures, regulatory guidance, and other trends. We’re available to lead a discussion at your next board meeting. Send a request through the Contact Us form on bankonitusa.com
Backups, Backups, Backups
Everyone from regulators to vendors to IT staff is stressing the importance of backups in relation to recovering from ransomware. Don’t get us wrong; solid backups are a must and they can save the life of your business. But backups are similar to the airbags in your car – you may be glad you had them but when they deploy, it’s not a successful day. There should be multiple layers of security that are built into the design of your technology network to stop ransomware and other threats from requiring the use of your backups. If you have had to use backups to recover from an event, consider why backups had to be used as well as decisions that were made leading up to that point.
Risks posed by supply chain shortages
The components underpinning information technology networks are harder to find, take longer to receive, and are costing more. The computer chip shortage is one reason why. Chips used in most automobiles and computer equipment are not high-end, high-margin chips. Its lower end, lower margin chips get used the most. Unfortunately, with a chip fabrication plant costing billions of dollars to build and equip, there is little incentive for chip manufacturers to make large investments to sell low-margin products.
It's similar to the toilet paper shortage of 2020
Firms with the resources and an understanding of distribution systems are putting extra resources into finding and obtaining these critical components and stocking up when they do find them. BankOnIT has identified critical network components and maintains a readily available inventory to support our client base.
Your largest borrower just got ransomware
Have you considered the impact a ransomware event would have on your commercial borrowers’ cash flow? Your institution would almost certainly be impacted.
But ransomware is not the only technology-related credit risk to worry about. The impact of a supply chain disruption or loss of a key tech employee can also adversely impact a borrower’s technology systems and have a negative impact on a borrower’s repayment capacity.
DO: Ask your customer upfront about the controls and incident response plans they have in place to mitigate technology risks. Consider requiring borrower notification to the bank when specific technology-related events occur. Ask legal counsel for advice on including technology-related covenants in loan agreements.
DO NOT: Lender liability is not something that is relegated to the 1980s. Don’t send the bank’s IT staff to perform a risk assessment of the borrower's IT or help with their IT systems.
Cyber threats are growing in frequency, volume, and sophistication. The supply chain issues will remain for some time. While there is a reason for concern there is no need to panic. As threats evolve, so too must the tools and expertise employed to counter the threats. BankOnIT works to provide the ongoing technology resources our clients need to operate reliable, secure, scalable networks so that they can focus on the business of banking. Working together as a community makes all of us stronger and provides each institution in our community the freedom to do more.
Are you a board member or executive officer with questions about technology risks at your financial institution? Send us a secure note under the Contact Us section of bankonitusa.com.
[i] BBC: 74% of ransomware revenue goes to Russia-linked hackers
[ii] WSJ: Ukrainian Defense Ministry, Banks Hit by Suspected Cyberattacks ...
[iii] WSJ: U.S. Banks Are Prepared for Russia Sanctions, but Concerns Grow About Potential Hacks