A version of this post appeared in Risk & Compliance.
Imagine this scenario: You arrive at the office to find everything is essentially on lockdown. Your computer network and customer data files are inaccessible. Email is offline. The lights, landline phones, WiFi and heating, ventilation and air-conditioning (HVAC) system are not working. Even if you could reach your customers and business partners, you cannot begin to guess when you will be up and running again, or whether their personal or corporate information has been hacked.
As ransomware attacks increase, more financial services providers are living this nightmare – and paying the price of lost business, reputational damage and, in some cases at least, seven-figure ransom payments.
Hackers, often working for criminal organizations, have shut down city governments, banks, school districts and medical centers by breaking into their computer systems and shutting them down until the victim gives into their extortion demands. The financial services sector has proven particularly vulnerable – more than 25 percent of all malware attacks have hit banks and other financial firms, more than any other industry, according to cyber security provider IntSights.
Because the effects of these assaults are apparent to so many, they often become public quickly. This complicates matters greatly for the targeted financial institution (FI) (or any targeted organization). Not only must it work with law enforcement and cyber specialists to assess the incident and figure out how to get everything back to normal as soon as possible, the organization must also maintain control over internal and external messaging in a frightening, chaotic and intensely dynamic situation. How the victim handles communications will affect trust in the institution and its public image in the weeks, months and even years ahead.
To mitigate both short-term panic and long-term reputational damage from a ransomware attack, below are five golden rules for FIs to consider before they become the next target.
1. Internal communications are vital
Communicating in a timely and consistent manner with employees must be an immediate priority in the aftermath of a ransomware incident, because they are likely to be affected the most. Workers may not be able to do their jobs if they cannot log into their workstations or access files or email via mobile devices. Specifically, employees will need prompt instructions on whether to remain off the corporate network, turn in their devices for scanning, or work remotely, rather than coming into the office. And, if the attack impacts customers and vendors, employees likely will be the first ones to be asked what they should do.
Simply reaching employees will be a challenge if corporate email is down. That means leadership will need to deploy a safe and efficient alternative channel as soon as possible. To shorten any blackout time, companies should work proactively to set up and test an off-network means of communicating with employees, including the incident response team, which cannot afford to be left in the dark.
2. Communicate with impacted stakeholders quickly—but thoughtfully
Depending on the scope of ransomware attack and how long it will take to restore normal operations, organizations should think twice about how much information they should share. If a financial firm’s email system is locked down, but the firm is still able to process transactions and communicate with customers via phone, it could “break itself into jail” by publicly communicating about the incident.
Institutions are advised to communicate proactively with those impacted by the incident if: (i) they are legally required to (if personal or sensitive data has been compromised); (ii) there is a significant impact on operations that could affect customers; and (iii) they are receiving a significant volume of inquiries or complaints from external stakeholders (media, customers and investors). In these cases, it is important to inform stakeholders – particularly those directly impacted – to demonstrate accountability and control the public narrative.
3. Legal, forensic, operations and PR must be in lockstep
As with the response to any data security incident, a company that has been crippled by a ransomware attack must ensure its various internal functions are working together. One mistake is not looping the communications team in on critical restoration or investigatory updates. Another happens when the other internal functions block the communications team from releasing timely information. Providing the communications team with insight into the legal, forensic and operational sides of the incident response will ensure that all messaging is accurate and minimizes legal and reputational risk for the company.
It is also imperative that organizations evaluate all legal, IT, operational and reputational ramifications when weighing whether to pay a ransomware extortionist. For instance, if the attack is likely to prevent a firm’s ability to conduct business for an extended period of time, payment may be the best option to ensure customer trust, especially if the cost is covered by the organization’s cyber insurance policy. At the same time, paying the ransom may embolden the attackers to hold out for more.
4. Make a plan for possible outcomes
Entities hit by a ransomware attack are often put in the uncomfortable position of having to communicate publicly about the incident before understanding its full scope and impact. There are typically several unknowns in the immediate aftermath of detecting a ransomware incident, including: (i) whether personal and sensitive data is impacted or exfiltrated; (ii) whether the organisation will be able to negotiate and reach agreement with the hackers; and (iii) how long it will take to restore operations either by restarting and then securing the impacted system or switching over to a backup system. To be better prepared, organizations should scenario plan for these various outcomes, including developing internal and external communications strategies.
5. Do not take the bait
Ransomware attacks tend to incite public concern. The primary objective for FIs is to allay these worries and restore trust. While firms will be asked whether they paid a ransom – and if so, how much – FIs should think carefully before publicly discussing what the firm paid or did not. If a company discloses that it chose not to pay, customers might be upset to learn the firm did not take every step to minimize the impact of the business disruption on them. Conversely, law enforcement and industry peers may be upset if a firm gives in and pays because it could incentivize future attacks on the industry (media also tend to paint ransom payments in a negative light).
Many stakeholders, including investors, may not understand the role of cyber insurance in covering a ransom payment liability. Instead of talking about the ransom demand, the company should keep its message to remediating the problem as quickly as possible and the steps it is taking to reduce any disruption to employees, customers and other stakeholders.
Experts predict that ransomware attacks will continue to rise. In 2019, an organization fell victim to cyber extortion every 14 seconds somewhere in the world, according to a projection by CyberSecurity Ventures. In two years, that rate will accelerate to every 11 seconds, it predicts. Rather than be caught flat-footed, FIs should develop and test response communication plans to an attack before one inevitably occurs.
Jamie Singer is senior vice president, Advisory, Chicago.