Few industries are as reliant on digital technologies as financial services. The industry consists of an estimated 17,000 interconnected financial entities, markets and platforms that provide products and services to consumers. However, the complex IT systems required to deliver financial services, coupled with the significant volume of personal information collected, used, disclosed and stored by financial service institutions, means that the sector faces consistent and serious cyber threats.
According to the latest of the OAIC's notifiable data breaches reports for January to June 2021, the financial services sector recorded the second highest number of data breaches across all industry sectors (behind the health sector).
Importantly, the OAIC's report disclosed that, while human error was the most common source of data breaches across Australia, malicious or criminal attacks were the most common source of data breaches in the financial services sector, accounting for two thirds of those reported. The sector also reported the highest number of data breaches resulting from system faults.
The increase in malicious or criminal attacks and the role of human error was consistent with the findings in our sixth annual cybersecurity report, Perspectives on Cyber Risk, which found that 70% of all reported incidents originated from phishing messages (a common precursor to ransomware attacks).
In response to the cyber threats faced by the financial services sector, regulators, including the Australian Prudential Regulation Authority (APRA), have introduced standards and guidelines. They aim to ensure that appropriate security measures are implemented to protect consumers’ privacy as well as safeguard the stability of the sector (and, by extension, the economy).
This is in addition to the raft of regulation, including the Privacy Act 1988 (Cth), the Corporations Act 2001 (Cth), the Competition and Consumer Act 2010 (Cth), and (for some Australian organisations) the European General Data Protection Regulation. Further changes are on the horizon with the Security of Legislation Amendment (Critical Infrastructure) and Ransomware Payments Bills, currently before Federal Parliament.
The financial services sector, from executive to operational levels, therefore needs to understand the significant threat imposed by ransomware attacks. Organisations need to implement processes and technology, as well as a culture of security, to prepare and protect them within this rapidly evolving regulatory framework.
Against this backdrop, MinterEllison recently hosted a roundtable for the financial services sector that explored the 'anatomy of a ransomware attack'. It featured panellists Andrew Cornell, Ashley Jones, Leah Mooney and our Head of Cyber, Paul Kallenbach.
The panel looked at what a typical ransomware attack might look like, how to prevent them or mitigate risk, and considered the regulatory landscape for financial services organisations managing cyber risk.
Ransomware is continuously evolving. Participants had some pertinent questions on how to deal with this ongoing problem. We explore some of these questions below.
How have ransomware attacks evolved?
Cybercrime gangs are becoming increasingly sophisticated.
Ransomware crews are targeting much larger organisations than they have in the past. This is known as 'big game hunting'. In addition, cyber criminals are no longer just locking up data, but are also stealing it.
Another aspect of this evolution is 'ransomware as a service'. Ransomware crews model themselves as legitimate, enterprise-level software service businesses. They set up wide networks of freelance specialists, making it even more challenging to defend against attacks.
The same cyber criminals are infiltrating organisations by offering employees cash incentives to install malicious software or kickstart their ransomware process internally.
Trusted staff members could therefore pose an increased risk.
What are the chances of getting an organisation's data back after an attack?
The panellists concluded that in their combined experience, the chances of getting the data back is low.
In the past, ransomware was about locking up a computer and was directed at individuals. The ransom payment would generally enable the target to unlock their own computer. This has evolved in the last few years into more sophisticated attacks against corporate entities and individuals.
There is increasing evidence that, not only do ransomware attacks lock up individuals' computers, but ransomware strains now have data exfiltration capacity. Consequently, ransomware actors are leveraging two, and sometimes three, layers of extortion.
The first layer is directed against the target organisation, seeking a payment to unlock a compromised system. The second layer is an extortion attempt for the return of stolen data, including a threat to release the data if organisations refuse to pay. And the third, most unfortunate layer, is directed at the people who they find within that data – the impacted individuals – and involves attempts to extort them individually.
In the end, because organisations are dealing with criminals, trusting them to commit to destroying the organisation’s data is a risky proposition.
Is it legal to pay a ransomware demand?
In Australia, there is currently no specific law that prohibits the payment of a ransomware demand.
There are, however, provisions under Commonwealth, State and Territory law that forbid payment in circumstances where a person is reckless or negligent as to whether the money will be used as an instrument of crime.
For example, if an organisation makes a ransomware payment to a ransomware syndicate, it is conceivable that the syndicate may reinvest some of that money into their criminal enterprise – and therefore in the furtherance of ransomware crime. Although the defence of duress may be available in some cases, ultimately this is a grey area.
In addition to criminal provisions relating to instruments of crime, the payment of a ransom may also contravene laws prohibiting payments to sanctioned organisations and terrorist groups.
It is therefore crucial that any organisation considering the payment of a ransom conduct appropriate due diligence into the organisation or the individual seeking payment (which isn't always practical or possible).
Wherever possible, the advice of government and law enforcement authorities (as well as panellists) is not to pay the ransom.
Who makes the decision about whether to pay a ransom?
The decision around whether to pay a ransom may rest on many people – board members, executives, and even those outside of the organisation. It may also be necessary to speak with third parties (such as insurers) to determine whether the payment of a ransom may be covered by a cyber insurance policy.
These considerations should be thought out and documented in a ransomware payments policy well before a ransomware attack occurs, rather than ‘on the fly’ as an event is unfolding. The ransomware policy should document:
- the possible ransomware scenarios that the organisation might face (including different classes of vulnerable data and systems);
- the organisation’s general posture towards paying a ransom (having regard to financial, operational and reputational considerations);
- the circumstances in which the organisation would pay a ransom (and the maximum amounts it would pay, including escalations and authority levels).
How can organisations be protected against a ransomware attack?
Panellists advised organisations to go back to basics. This means ensuring computers are patched, enabling multifactor authentication and building a safe and informed culture of security within the organisation.
They recommended three steps that will help organisations protect themselves.
Align with an external framework
Align with external frameworks such as the ASD Essential Eight or the NIST Cybersecurity Framework.
Organisations should also carefully focus on mitigating supply chain risk by conducting appropriate due diligence and auditing and uplifting contractual arrangements with suppliers.
Conduct data breach response plan drills and regularly update the plan
Organisations should regularly test their data breach response plans. Most organisations now have a data breach response plan (80%, according to our Cyber Report). However, only 55% tell us that they are testing and updating their plans regularly.
Data breach response plans should be regularly updated in light of rapid changes in the threat and regulatory landscapes.
Train and educate
Human error plays a key part in a large majority of data breaches. Employees need appropriate training on how to identify and respond to phishing emails and other attacks.
What are some best practices in responding to ransomware attacks?
For organisations that fall victim to a ransomware attack, there are some important considerations.
Consider the impacted individuals
The best case studies on how to manage cyber attacks are from organisations that place impacted individuals at the centre of the investigation – rather than approaching it as a minimum compliance exercise. Organisations should consider the position of the impacted individual at all stages, including when drafting data breach notifications and determining potential remediation measures.
Time notifications carefully
Organisations should carefully consider the timing of their decision to notify. Notifying too early – before all relevant facts are known – may cause unnecessary harm to impacted individuals. The notifiable data breach scheme under the Privacy Act is aimed at minimising harm to individuals. This includes notification harm.
Bring in third parties early
Organisations should have a list of pre-vetted third party experts that they can contact in the event of a ransomware attack, and who can help the organisation make objective, dispassionate, evidence-based decisions. Should a ransomware attack occur, the organisation should ensure that it brings these experts in early.