By John Carlson and Joshua Hubbard
Ransomware poses a significant cyber threat to financial institutions. Based on Verizon’s 2025 Data Breach Investigations Report, ransomware was present in 44% of data breaches in 2024, up from 32% the previous year. Cybercriminals often employ ransomware-as-a-service, or RaaS, to steal and encrypt data for the purpose of extorting firms for a substantial amount of money, typically in the form of cryptocurrency. The demand for extortion comes in the form of a promise to decrypt the data, or not publish the firm’s data, but that introduces a question of whether the payment will truly end the nightmare.
Over the past 12 months, the American Bankers Association has convened several panel discussions and a simulation to highlight the key decisions bankers will likely encounter when faced with a ransomware attack and a demand for a payment.
When to convene incident response plans
Cyber-attacks often originate at service providers that banks rely on. In addition, cyber threat actors often target bank employees through email phishing attacks. One of the first decisions bankers face when presented with a cyber incident and ransomware demand is when to convene the bank’s incident response team. Two key processes that banks should have in place are robust third-party risk management programs and security awareness training programs for employees. Equally important is having a well-rehearsed incident response plan with a qualified team in place.
Communication strategy
As part of the incident response plan, it’s important for banks to have a clear strategy for when and how to communicate with staff, customers, law enforcement, regulators, the media (traditional and social) and other stakeholders in response to an incident. Getting caught flat-footed when social media feeds get flooded with posts (both real and fake) can quickly damage a bank’s reputation. It is important for the bank’s communications team to have a strategy for when to communicate and then how to communicate to protect the institution’s reputation, provide staff with instructions on what they can communicate, inform customers with information that is accurate, update regulators and engage law enforcement.
There are numerous notification requirements with different deadlines. These include the 2005 “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” the 36 hours to notify federal banking agencies, four business days for public disclosure through SEC Form 8-K of material cyber incidents for publicly traded banks and a forthcoming 72-hour requirement by the Department of Homeland Security for significant cyber incidents and 24 hours for the payment of ransoms. These are extraordinarily short timelines, so banks need to have clear procedures in place for gathering information, assessing the impact of the incident and notifying key stakeholders such as employees, customers, law enforcement and regulators.
Cyber risk insurance considerations
Given that banks buy cyber risk insurance coverage, it is important that bank management and the incident response team be well versed in the details of the cyber risk insurance policies they buy.
Many cyber risk insurance policies include specific requirements for reporting a ransomware attack to your insurance provider, specific forensic investigation protocols and specific procedures for facilitating a ransom payment. Discrepancies could potentially violate the cyber insurance policy resulting in a denial of coverage. A critical question to ask when evaluating cyber risk insurance policies is: Do your incident response plan and cyber insurance policy contain adequate flexibility to negotiate with the attackers with the purpose of buying yourself enough time?
To pay or not pay the demand for ransom
Of course, the big question is whether the bank should pay the ransom. There are many factors to consider including whether the payment of the ransom results in the return of decrypted data and whether that bank could be further victimized.
Federal authorities strongly discourage the payment of ransoms; however, not all payments are necessarily illegal. It is important to know who would receive or benefit from the ransom payment. There is a risk the ransomware payment could involve a person on the sanctions lists of the Department of the Treasury’s Office of Foreign Assets Control or a comprehensively embargoed jurisdiction, and a bank’s risk-based approach to sanctions compliance should account for that risk. Violations of OFAC regulations are assessed on a strict liability basis and can result in steep civil or criminal penalties.
A more recent announcement from OFAC titled, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” is another useful tool to analyze the risk and compliance involved with engaging with sanctioned entities.
In addition, banks may have an obligation to report the transaction to Treasury’s Financial Crimes Enforcement Network as a suspicious transaction. FinCEN has issued an advisory for banks on making or facilitating ransomware payment.
If the bank decides not to pay the ransom it should determine whether the bank has reliable back-up data to reconstitute operations and has established controls to prevent further efforts to victimize the bank.
Resolving potential conflicts with board members
During our cyber simulation last year, the ABA simulated a situation in which bank management and key members of the board of directors differed on whether to pay the ransom. When time is of the essence, these sorts of disagreements add to what is a very stressful situation. Hence, it’s important for management to have clear guidance from the board as to what conditions the bank would or would not pay a ransom. Also, when we ran our simulation, we asked ABA members in the audience how they would have responded to the scenario and the majority of bankers said that they would not pay the ransom.
Government resources
There are several resources that banks can rely on. First, federal law enforcement agencies have experience in responding to ransomware attacks against financial institutions and others that are part of “critical infrastructure.” For example, the FBI, Secret Service, foreign law enforcement and private sector partners work to provide decryption keys for various ransomware variants. Some decryption tools are publicly available; however, others are available only directly from relevant law enforcement agencies (due to sensitive ongoing investigations). Banks may also contact their local U.S. Secret Service office as soon as possible. Banks should contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment.
Additionally, FBI, Secret Service and the Cybersecurity Infrastructure Security Agency publish information to assist organizations related to ransomware. In particular, CISA provides a ransomware campaign toolkit which is “designed to help partner organizations (including FIs) as well as state, local, tribal and territorial officials bring awareness to ransomware risks and how to mitigate them.”
In addition, the Conference of State Bank Supervisors developed a ransomware toolkit in partnership with law enforcement lo help financial institutions assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security.
ABA resources
The ABA ransomware toolkit provides an easy-to-follow guide for how to protect your system, understand the pros and cons of paying a ransom, how to respond quickly and maintain operational resilience.
Key questions
In summary, here are questions bankers should ask in order to be better prepared to respond to a cyberattack and ransomware extortion:
- Have you identified the key players on your incident response team and who is responsible for decisions during an incident?
- Are the correct people from your organization’s public relations and marketing teams delegated the authority to respond to any mainstream and social media attention?
- How do you manage and communicate these incidents with third-party providers?
- Do you know what’s in your cyber insurance policy and how it may impact both incident response actions and cooperation with third-party providers?
- Do you know the criteria for reporting (and the various timelines) for federal agencies (e.g., banking agencies, law enforcement, DHS/CISA and SEC)?
- Is the organization aware of potential compliance issues with payment of ransom (e.g., OFAC’s sanctioned entities)?
- Do your organization’s risk-based sanctions and Bank Secrecy Act compliance programs address ransomware attacks?
- Are you plugged into industry groups and resources that might be helpful during an incident (e.g., FS-ISAC, ABA)?
- Are you staying abreast of AI and other emerging technologies and considering how they might impact your ability to respond to a cyber incident?
John Carlson is senior VP, cybersecurity regulation and resilience at ABA. Joshua Hubbard is program manager, cybersecurity at ABA.
