Guarding the Vault: Strategies for Banks to Combat Ransomware Threats
By Malcolm McDowell Woods
Ransomware, a crippling cybercrime which can lock up a company’s data in return for payment of a ransom before user access is restored, is big business. In 2023, victims reportedly paid out a record of more than $1 billion in ransom. Earlier this year, stories surfaced of one institution paying out a record $75 million ransom.
Exact trends are hard to pin down — the cybercriminals tend to overstate their successes, while ransomware victims are reluctant to publicize payouts — but for any business, ransomware represents a tremendous threat, according to Brad Robinson, the senior director for cybersecurity policy for the Conference of State Bank Supervisors (CSBS). And for the financial sector, and community banks in particular, “the threat is existential,” he warns. “If you’re not prepared, if you’re dead in the water and you can’t communicate with customers and you can’t do business, it can be become a safety and soundness issue with your institution very quickly.” Smaller community-based financial institutions simply don’t have the resources to withstand a prolonged outage or closure.
Ransomware is just one subset of cybercrime, a wide variety of criminal actions that prey on the modern world’s digital connectedness to commit identify theft, fraud, scams, data breaches, and other malicious acts. In a ransomware attack, perpetrators infiltrate an organization’s digital network and prevent access to its data (often by encrypting the data), demanding a ransom before access is restored. Even more troubling is that cyber criminals continue to evolve their attacks, with some now employing double or triple extortion demands, requiring additional ransom for not publicly sharing the data or contacting the victim’s customers directly.
Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, a WBA subsidiary and Gold Associate Member, says the banking industry represents a plum target. “Cyber criminals feel if they can crack into financial institutions and encrypt their data, infiltrate any back up system and also encrypt that, there’s a pretty big payload” waiting for them, he explains.
It’s a frightening scenario.
However, there are steps financial institutions can take to help secure their data and ward off ransomware attacks.
Rob Foxx is the director of information security and IT services for Madison-based FIPCO (Financial Institution Products Corporation), a WBA subsidiary and Gold Associate Member. Foxx performs information security audits for financial institutions, assessing their vulnerability to cyber attacks. The goal is to keep data safe and secure. The challenge is that criminals are constantly evolving their methods. “Their technology is advancing and becoming ever more sophisticated,” says Foxx. While the banking industry’s available defense systems are also evolving, Foxx points to what remains the weakest link in the armor — personnel.
“By and large, the quickest, easiest, and most common way they get in is by attacking the human element,” he says. “They will send an email that will cause fear and panic, requiring you to click on it, or to fill out information. You know, that’s the classic way. And it’s become more sophisticated because they use artificial intelligence (AI) to generate their letters.”
That means education and training throughout the workforce is critical. “The employees are the weakest link,” says Robinson. “They always will be. That’s just human nature, and the bad guys know it.” The key is practicing what he calls basic cyber hygiene, protecting your perimeter. Foremost is training and educating staff on proper information security.
That includes utilizing multi-factor authentication, ideally throughout the workforce, but particularly for admin level, or privileged, users. “We’re talking soft tokens on your phone or, you know, actual physical key tokens that you carry around that plug into a USB,” says Foxx.
Next is securing your data. Otteson points to the 3-2-1 rule. That means that maintaining three copies of your data, using two different types of media and storing one copy off-site. “That way, your data can be restored without paying ransom, suffering any downtime, or losing any data.”
Your entire network should be safeguarded by up-to-date anti-virus software. “And it’s not the same antivirus software you use at home. You want something that’s enterprise level, next generation, usually, with AI and heuristic analysis in it.” All software ought to be up to date, to reduce the possibility of what are known as zero-day exploits. “If your systems are out of date, you can have all the other controls in the world in place, but known vulnerabilities are easy-ins for bad guys,” says Foxx. “Those are flaws in your software, your operating system, or pretty much anything else on your computer that hasn’t been identified or patched by the companies that put it up.”
How do you know if you are taking the necessary steps? No doubt, your insurer will ask, but there are other tools you can use.
The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service collaborated to develop a tool which financial institutions can use to assess their vulnerability to ransomware attacks. The Ransomware Self-Assessment Tool, or R-SAT, was created to encourage discussions about preparedness, says Robinson. It’s freely available for download on the csbs.org website.
The tool, a list of 20 questions, isn’t designed to produce a score or rate a bank’s preparedness, but to identify potential weak links. “The whole purpose is to get folks talking about it within their institution,” says Otteson. “It’s not terribly hard to complete, but it forces people who complete it to look at the answers to the questions. It talks about instant response, employee training, multi-factor authentication, backups, how you control access to your system, to your vendor relationships. Those are all sorts of foundational things that every institution — big or small — can look at to protect themselves against ransomware.”
Taking the necessary steps will not only provide greater protection for your institution, but likely result in a lower premium. “Without multi-factor authentication in place on emails, or for privileged users, it’s very hard to secure strong terms and conditions on a cyber policy,” notes Otteson. He says a recent flattening of rates in the cyber insurance market is proof that financial institutions are doing a better job of protecting their data.
Still, it only takes one successful attack to wreak havoc. “You can always get blindsided,” admits Otteson. “The best financial institutions with the best cybersecurity platforms and teams and expertise can still get caught off guard. And we do the best we can to secure systems and deploy security patches, and train staff. But from what we’ve seen in general regarding cybersecurity incidents is it has been employees, clicking on links they shouldn’t have,” or it’s been a security patch where the IT team assumed it had been implemented and deployed, or someone not utilizing MFA. In addition, the industry has experienced an increase in vendor privacy incidents, the owner of the customer data is liable for it, even when shared.
And if your bank is targeted? Usually there are obvious, frightening signs, such as all of your computer monitors flashing “PAY US MONEY” in unison.
“If you’ve had an IT or information security audit, you are going to have a disaster recovery and incident response plan in place or are in the process of developing them,” says Foxx. “Once you’ve discovered that yes, we have an incident, that somebody from the outside is in and our data may have been compromised, I immediately want to get insurance and legal involved.”
When an attack happens, Otteson says he connects with the insurance company to set up a meeting of their breach response team. Legal counsel is quickly brought in, partly to protect attorney client privilege. “Everything gets run through legal,” he says. “They will bring in a forensic firm to attempt to unlock, or decrypt, the data.” They will assess the depth of the data breach — whether the attackers reached the backup systems — and try to determine the identity of the attackers. Legal counsel will provide advice about communicating with others about the attack, helping you craft appropriate language. Finally, ransomware negotiators will be brought in. According to data collated by Comparitech researchers, almost 1 in 5 ransomware attacks led to a lawsuit in 2023. Over the past couple of years, lawsuits filed following ransomware attacks have increased, with the overall average over the last five years standing at 12 percent.
It’s the stuff of nightmares, but Otteson notes that ransomware payments have dropped through the first quarter of 2024, and he credits it to the industry taking the issue seriously, with strong and robust cyber security, employee training, secure data backups and by staying ahead of the internal controls required by the insurance company. “Hey, doing the basics will take you a long way in protecting your institution. It’s not about a huge capital spend on crazy systems and whatnot. We want to keep you from letting people in the door to begin with.” The attacks are getting more sophisticated but by and large it’s the basics that are the most common successful means of entry.
McDowell Woods is a freelance writer and an instructor of journalism and media studies at the University of Wisconsin–Milwaukee.