Ransomware: How Financial Institutions Can Prepare to React Quickly and Limit Damage Through Regulatory Compliance

Data Compliance & Governance December 18, 2023

All over the world, the number of attacks by cybercriminals targeting the financial sector is increasing, and the UK & Ireland is no exception to this trend. According to Veritas research half of UK organisations said that, over the past two years, they had been the victim of at least one successful ransomware attack in which hackers were able to infiltrate their systems. 

The increasing profitability of these attacks for the criminals, means a whole new industry - Ransomware-as-a-Service (RaaS) – is growing rapidly.  Professional hackers, exploiting AI-driven target identification, breach execution, victim extortion, and ransom collection, all offering their malware as a service to the highest bidder.

The increasing threat this poses to national economies led the EU to pass the Digital Operational Resilience Act (DORA) setting out specific requirements for financial service providers concerning risk management. DORA legislated specifically on key areas including reporting accuracy of any ICT-related incidents, and management of third party risk. 

This means that when an attack on any financial services provider occurs, the decisions and actions taken in the hour following an attack will be decisive for the level of organisational impact, and the ultimate survival of the business.

For financial institutions, process predictability is paramount 

IT teams must prepare thoroughly to anticipate an attack by implementing effective operational resiliency practices to secure their data.  Ongoing training for IT and business teams, together with tools for data identification and visibility, are critical when it comes meeting regulatory requirements. 

As part of the ICT risk management process to comply with DORA regulations, successful completion of a specialised audit to identify all types, locations and classifications of data and storage infrastructure must be carried out. These rules have been developed to help prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Compliance with these processes require using tools that link isolated data sets, security policies can be deployed across all environments. IT teams can see at a glance what data the company owns, in what environment it is stored, to report quickly and accurately any loss.  

To remain compliant these must be constantly updated to ensure relevance and resiliency to the latest, constantly evolving, malicious threats. 

Early threat detection is critical for operational resilience

Critical data is the prime target for malicious attack, so constant surveillance to monitor for unusual access or usage patterns in these datasets especially, should form the prime component for efficient reporting to satisfy international legislation requirements.   

Unless detected early, cell-level data corruption attacks—code secretly implanted deep within a victim’s database that lies in wait to covertly alter or corrupt specific but undisclosed data, often at a much later date than the initial threat penetration – can infect core records.   

The real danger is that victims will not know what data, if any, has been altered or corrupted until after the repercussions set in, effectively rendering all their data untrustworthy. The only solution is maintaining secure, verified copies of data that organisations are 100% certain are uncorrupted and can be rapidly restored.

AI tools are able to continuously monitor for changes in behavioural patterns to see if users might have been compromised. If the AI detects suspicious activity, it can initiate automated recovery processes to take immediate action to isolate backups with malware, ultimately minimising the impact of a successful attack.

For backups to remain resilient and reliable in the event of an attack, systems (such as media and metaservers) must be able to continually communicate with each other securely. 

In the event that backup files have been encrypted by a ransomware attack, "immutable" storage systems enable data to be restored without error. However, financial institutions need to be vigilant about physical locations of back-up copies and regularly test the restoration process. 

Stay on the ball and react quickly  

When an attack is reported, every minute counts to limit the business impact. The IT team must intervene immediately and ensure that affected end-users and systems are isolated from the network. 

Data management tools can be used to quickly identify which data is being consulted by which users. By analysing this information, it is then possible to determine which data has been infected or which data is missing. As long as company backups are properly protected, information can be restored without disruption or need to pay a ransom.

To mitigate further risks of fines of non-compliance charges, it must be possible to capture details of the ransomware they received relating to the attack, to share with relevant authorities.  That is another reason why a comprehensive data management and reporting tool is an essential part of the overall organisational resiliency preparation. 

Preparedness prevents prosecution  

To ensure cyber security and true operational resilience in the face of ransomware, financial institutions need to prepare their defences in advance. DORA is making this a regulatory requirement, a failure to comply with which could incur serious penalties including up to 2% of global annual turnover. 

Only through a culture of transparency and complete control of their data can any financial services provider be confident of remaining compliant. Equally only by having a well prepared, continually rehearsed, internal ransomware attack action plan – that evolves to new threat requirements and is fully communicated to any 3rd party service providers involved - can any organisation be confident of having an effective cyber recovery strategy.  

While this is a cost to the organisation in terms of time, technology and personnel investment, compliance with DORA, and other similar regulations, enable organisations serving the financial sector to reduce risk to their customers and increase their profitability.  By proving the security and reliability of their own ICT systems they are also reducing the potential costs associated with crisis handling for themselves and their clients.

Mark Nutt
SVP, International Sales
VOX Profile