In
A few months later, cybercriminals targeted the
SVP Paul Benda hosts the weekly ABA Pandemic Update podcast.
These instances are just two high-profile examples of a growing problem: the proliferation of ransomware and extortion-ware. These types of cyberattacks occur when cyber criminals use malware to encrypt files on a device or information on a network, rendering them unusable. Criminals then demand payment in exchange for decryption.
Over the past several years, ransomware attacks have grown in scope and scale, and are now targeting critical infrastructure entities, including financial services providers. In fact, it's estimated that a new ransomware attack is detected every 11 seconds.
According to an
Unfortunately, even for those that do pay, obtaining a decryption key is not a panacea-firms must still conduct testing on every machine and network endpoint to ensure that the malware has been successfully removed. One global survey of 5,400 IT decision makers found that around half of those who paid ransom recovered just 65 percent of the encrypted data compromised in the attack. Another 29 percent said they only recovered half of the data.
The staggering cost and increasing frequency of ransomware attacks would seemingly make the case for cyber insurance-but, surprisingly, anecdotal evidence suggests that a majority of financial institutions are not cyber-insured. And with cyberattacks on the rise, the cost of cyber insurance is also increasing, and ransom payments as an insurable risk may not be sustainable in the long run.
The federal government has taken several steps to address the growing problem of ransomware, including establishing a new
'There are a lot of parallels, there's a lot of importance, and a lot of focus by us on disruption and prevention,' Wray told the
Banks can find information on ransomware by visiting a new, dedicated website created by the
In addition to these efforts, bank regulators have issued a notice of proposed rulemaking that would direct banks to notify their federal regulator within 36 hours after developing a good-faith belief of a 'computer security incident' that will materially disrupt, degrade or impair banking operations. Importantly, this would not replace Gramm-Leach-Bliley consumer data breach notice requirements. Additionally, the rule places a burden on a bank's third-party providers to provide immediate notice to a bank of a disruptive incident.
While this proposal is a step toward ensuring clarity and consistency around the reporting of cyber incidents, ABA raised concerns that as written the definition of 'computer security incident' is overly broad and recommended targeted changes before the rule is finalized-which is not expected until the end of 2021. ABA also continues to monitor legislative activity around ransomware and the prevention of cyberattacks and will continue to update members as new developments arise.
Government efforts aside, now is the time for banks to take steps to ensure their cyber preparedness and review best practices for securing their data infrastructure. Extra vigilance today can help prevent a costly incident tomorrow.
(C) 2021 Electronic News Publishing, source