By Paul Benda
In March 2021, CNA Financial Corp.—one of the nation’s largest insurance companies—paid $40 million in the wake of a ransomware attack that crippled its network, according to a Bloomberg report. A few months later, cybercriminals targeted the Colonial Pipeline, which supplies fuel to much of the East Coast, with a ransomware attack that led to Colonial paying out almost $5 million.
Over the past several years, ransomware attacks have grown in scope and scale, and are now targeting critical infrastructure entities, including financial services providers. According to an eWeek security analysis, more than half of companies faced ransomware attacks and of those, 26 percent paid the requested ransom. Even if companies choose not to pay, ransomware attacks can still be costly and devastating. For example, after the University of Vermont Health Network was compromised by ransomware in June 2021, it lost an estimated $63 million in the process of rebuilding its network infrastructure and restoring compromised hard drives.
Unfortunately, even for those that do pay, obtaining a decryption key is not a panacea—firms must still conduct testing on every machine and network endpoint to ensure that the malware has been successfully removed. One global survey of 5,400 IT decision makers found that around half of those who paid ransom recovered just 65 percent of the encrypted data compromised in the attack. Another 29 percent said they only recovered half of the data.
The staggering cost and increasing frequency of ransomware attacks would seemingly make the case for cyber insurance—but, surprisingly, anecdotal evidence suggests that a majority of financial institutions are not cyber-insured. And with cyberattacks on the rise, the cost of cyber insurance is also increasing, and ransom payments as an insurable risk may not be sustainable in the long run.
The federal government has taken several steps to address the growing problem of ransomware, including establishing a new Department of Justice task force that centralizes the DOJ’s efforts to track cyberattacks and digital extortion schemes. FBI Director Christopher Wray even went so far as to compare the threat of ransomware to the terror threat that followed in the wake of 9/11.
“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Wray told the Wall Street Journal. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”
Banks can find information on ransomware by visiting a new, dedicated website created by the Cybersecurity and Infrastructure Security Agency, cisa.gov/stopransomware. The site provides resources to help evaluate risk and harden systems against potential attacks. It also includes a reporting portal that banks and other companies can use to report cyber incidents to the appropriate authorities.
In addition to these efforts, bank regulators have issued a notice of proposed rulemaking that would direct banks to notify their federal regulator within 36 hours after developing a good-faith belief of a “computer security incident” that will materially disrupt, degrade or impair banking operations. Importantly, this would not replace Gramm-Leach-Bliley consumer data breach notice requirements. Additionally, the rule places a burden on a bank’s third-party providers to provide immediate notice to a bank of a disruptive incident.
While this proposal is a step toward ensuring clarity and consistency around the reporting of cyber incidents, ABA raised concerns that as written the definition of “computer security incident” is overly broad and recommended targeted changes before the rule is finalized—which is not expected until the end of 2021. ABA also continues to monitor legislative activity around ransomware and the prevention of cyberattacks and will continue to update members as new developments arise.
Government efforts aside, now is the time for banks to take steps to ensure their cyber preparedness and review best practices for securing their data infrastructure. Extra vigilance today can help prevent a costly incident tomorrow.
Paul Benda is SVP, cybersecurity and operational risk at ABA.
