Year over year from 2019 to 2020 there has been a 158% growth in ransomware in North America1. And attacks are growing increasingly sophisticated. Protecting your bank from cyber-attacks is an everyday reality for you. This issue of Information Technology for Directors is entirely focused on the cyber-security threat of ransomware.
What is causing ransomware to proliferate?
Ransomware attacks are growing because they are very effective at providing criminal organizations that operate these attacks the revenue they are seeking. There are three primary reasons why ransomware attacks are growing unabated:
- Weak (Foreign) Law Enforcement Response. The countries in which attacks originate have either weak law enforcement or are willing to turn a blind eye to these attacks.
- Poor Cybersecurity Health and Weak Defenses. Like legitimate businesses, cyber attackers want the highest return on the investment of their time and resources.
- Ease of Payment. Digital currencies such as Bitcoin have made payment of ransomware quick, easy, hard to trace and for the most part unregulated. It would be hard to imagine ransomware growing into the problem it is today if payment had to be made in suitcases full or hundred-dollar bills or through FedWire or SWIFT payment systems.
Who is plotting these attacks?
While some attacks are likely nation/state sponsored and are intelligence operations targeting government agencies, others are the work of criminal organizations that operate as a business working to increase and diversify their revenue stream.
Why are banks ransomware targets?
In part, cybercriminals target banks for the same reasons bank robbers have historically -- Because that's where the money is. Additionally, these operations target entities that have an ability and the willingness to pay ransom demands. Seemingly to the attackers, Financial Institutions would be more willing to pay ransomware than other types of businesses, in order to mitigate reputational risk and maintain customer access to their financial services.
What is a supply chain attack?
Recent cyber-attacks have targeted software providers in supply chains (such as SolarWinds and Kaseya) that help businesses and Managed Service Providers (MSPs) manage information technology infrastructure for their own organizations or their clients (as in the case for MSPs). Supply chain attacks are designed to gain malicious access to many entities through a single point of entry. Supply chain attacks are designed to gain malicious access to many entities through a single point of entry. Penetrating these software firms enables cyber-attackers entry into the systems of their ultimate targets – the software firm’s clients.
What other new methods are cybercriminals using to delivery ransomware into banks?
It is also becoming common for attackers to compromise email accounts of entities that are known and trusted by financial institutions such as CPA firms and state bank trade associations. Once inside the system, the attacker sends emails to bank executives impersonating the trusted third party and request that the reader click on a link or open an attachment that contains ransomware.
What will it take to address this growing menace?
Reducing the number and impact of successful attacks will require digital currency regulation, foreign law enforcement coordination and action on the part of the DoD, NSA, CIA and other Government agencies. Of course, protection also comes from measures taken by you and your vendors.
What steps can we take to protect our bank?
Following are some things you can watch for in performing oversight of information technology at your institution:
- Ask your vendors if they are regulated. Federal banking regulators perform oversight at a relatively small number of technology providers through their Technology Service Provider examinations. Regulated entities are examined on metrics such as management, financial stability, information security and disaster recovery and are assigned a rating similar to the 1 to 5 CAMELS rating banks receive. You should request a copy of the disclosable portion of your vendor’s TSP exam from your primary Federal banking regulator. Should a significant issue occur, regulators reserve the right to notify client institutions directly of shortcomings where they perform examinations. Vendors should also receive independent SOC audits that report on internal controls. Review your vendors’ exam reports; look for and ask about repeat findings that have not been addressed since the previous exam.
- Ask if the vendors have a SOC audit performed on their own operations (not that of a leased third parties data center). Review your vendors’ audit reports; look for and ask about repeat findings that have not been addressed since the previous audit.
- Cyber-attackers look for easy weaknesses to exploit such as known vulnerabilities that have not been patched for months. Vulnerability assessments are typically performed annually as part of the bank’s IT audit. Consider running and reviewing vulnerability assessments more frequently, such as on a quarterly basis for internal assessments and monthly and for external assessments on a monthly basis. More frequent review of these reports will provide an early indicator of problems with patch management.
- Minimize the surface attack area by being selective about the vendors in your supply chain. Each vendor that has access into your bank is a potential doorway into the bank for cyber-attackers. Limit the number of vendors in your supply chain to those that are the most well managed, with substantial banking industry expertise that possess solid internal controls and are regularly examined and audited. Choose those vendors that also minimize the number of vendors in their supply chain.
- Understand what network security tools you are deploying, who is managing them and how they are being monitored. Utilize redundant tools in order to protect your bank at all levels.
- Create a culture of security and compliance. Overcommunicate the need for diligence. Bring awareness to cybersecurity throughout the organization.
Are you a bank director with questions about IT compliance that you would like to ask in a confidential manner? Send us a secure note under the Contact section at www.bankonitusa.com.
If you’d like to receive the Information Technology for Directors publication directly in your email inbox, please email us at Guidance@BankOnITUSA.com.