In October 2021, a California community bank was victimized by a ransomware attack. The hackers obtained sensitive information from the bank’s systems, including loan application forms, tax returns, W-2 information, payroll records, names, addresses and Social Security numbers. They threatened to release this information if the bank failed to negotiate.
The bank incurred significant financial costs and reputational damage associated with the attack. It also offered free credit monitoring and identity theft protection services to affected customers. This is just one of many examples of community banks that have been targeted by ransomware attacks in recent years.
Double trouble
There was a time when smaller banks reasonably believed that cybercriminals would leave them alone, because larger institutions offered a bigger payoff. Recently, however, the trend has reversed. Cybercriminals are now targeting small banks, which they believe lack the wherewithal to protect against these attacks and have less robust internal controls than larger institutions.
A new ransomware scheme involves so-called “double extortion” attacks. In a traditional ransomware attack, the cybercriminal sends a phishing email to a bank employee or other user of the bank’s systems. If the recipient clicks on the link in the email, it introduces malware that infects the bank’s system, encrypting its data. The cybercriminal demands a ransom payment in exchange for the decryption key.
In some cases, however, victims were able to quickly restore their systems from unaffected backups and thus refused to pay the ransom. To avoid this result, a double extortion attack involves stealing sensitive data and threatening to release it if the ransom isn’t paid.
Protective measures
To minimize the risks associated with ransomware attacks, community banks should follow industry practices recommended by the Federal Financial Institutions Examination Council (FFIEC) and other federal banking agencies. These include:
- Regularly assessing the bank’s exposure to ransomware risks and patching any vulnerabilities,
- Educating employees about the risks of ransomware and training them on identifying and reporting potential attacks,
- Inventorying hardware, software, connections and data, with programs in place that identify vulnerabilities,
- Implementing backup systems designed to protect data from cybercriminals,
- Segmenting networks to limit a cybercriminal’s access within the system if a breach occurs,
- Managing third-party risks that expose the bank to ransomware attacks,
- Implementing email filtering processes that identify malicious messages and prevent them from reaching end users, and
- Restricting the use of employees’ personal devices on the bank’s network.
Be aware that payment of ransomware may result in sanctions if the cybercriminal is listed by the Office of Foreign Assets Control (OFAC) as a known or suspected terrorist or terrorist organization. Reporting ransomware demands promptly to the federal authorities can help mitigate these sanctions. Banks also may need to file Suspicious Activity Reports (SARs) in connection with ransomware payments.
Another critical tool for defending your bank against cyberattacks is a program of regular system vulnerability assessments and penetration tests. Vulnerability assessments involve scanning all internal and external networks to identify security flaws or weaknesses. Penetration testing — a form of “ethical hacking” — involves the intentional launching of simulated cyberattacks to identify any vulnerabilities that can be exploited to compromise the bank’s systems or data. It can also be used to test the bank’s security policies, employees’ security awareness, and the bank’s ability to flag and respond to security issues as they happen.
Typically, vulnerability assessments should be conducted twice a year and penetration testing should be done annually. But the appropriate frequency of testing depends on your bank’s circumstances and resources.
Have a plan
As cyber risks continue to mount, your bank needs a comprehensive cybersecurity plan that reduces risks and minimizes damages should they occur. It should include an incident response protocol for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing customer assistance, and reporting the incident to the relevant federal banking regulator within 36 hours.
© 2023