IMPACT ANALYSIS: Should Firms Pay ‘Ransomware’ Demands? Responding to New Cyber Threats
Feb 25 2016
By Todd Ehret, Regulatory Intelligence, Thomson Reuters
A cyber-attack against a California hospital grabbed headlines last week when the facility concluded that the best course of action was to concede and pay the hackers’ ransom demand. The attack called attention to a growing cyber security threat that even the FBI says can leave a victim little choice but to pay up.
The malware attack locked access to electronic medical records at Hollywood Presbyterian Medical Center. That effectively shut down the hospital’s computer systems for more than a week until it agreed to pay the attackers 40 bitcoins, with an approximate value of $17,000.
Ransomware has become one of the most common threats to all businesses as well as individuals. The problem is not unique to healthcare institutions. Schools, municipalities, and even local police and sheriff departments have forked over the ransom to hackers as a last resort in order to regain control of their computers or networks.
This should serve as a wake-up to all businesses and compliance professionals that no one is immune to the aggressive ransomware attacks. Below is an overview of this latest and very prevalent cyber threat to firms, a review of some simple safeguards, and some policies and procedures advice for compliance departments.
Ransomware attacks rapidly growing
Various sources, including network security and anti-virus firm Symantec, conservatively estimate at least $5 million annually is extorted via ransomware from victims, with an average ransom of approximately $200. The FBI estimates that between April 2014 and June 2015, it received 992 complaints related to the “CryptoWall” family of ransomware, with victims reporting losses totaling over $18 million. Individual personal computers are not the only targets. A growing number of victims are being hit with ransomware that locks down mobile devices as well and demands payments to unlock them.
Ransomware is malicious software that, when deployed, effectively walls off data so that it is inaccessible to users. Ransomware infects devices and systems via spam and phishing messages, botnets, exploit kits, compromised websites, and “malvertising.” Ransomware is often delivered using a social engineering trick to get potential victims to click on malicious email attachments or open crafted Short Message Service (SMS or text) messages, which lure them to compromised or malicious websites. Ransomware targets all sizes of businesses and institutions, home computers, mobile phones, and other devices.
Once infected the hackers hold the data ransom by demanding payment for the decryption key necessary to unlock the data. The hackers will usually demand payment in bitcoin digital currency. Bitcoin has made ransomware even more popular in the hacking universe because it can be received swiftly and anonymously and is hard to trace. Prior to bitcoin, payment was made via pre-paid cash cards and SMS messages.
The attacks can be either broadly disseminated through spam emails and infected internet sites or targeted to specific individuals or businesses after some preliminary background research of publicly available information.
Stamford Hackathon suggestions:
Last week at the Stamford, Connecticut Stamford Hackathon, an event sponsored by small business network security provider U.S. Computer Connections, presenters cited ransomware disseminated through social engineering as the newest and most prevalent threat to small business networks.
Examples of numerous businesses and individuals becoming subjected to various ransomware attacks were discussed. Although paying the ransom is not the first choice of action, a poorly designed network with inadequate backup capabilities may have few other options. In the examples discussed hackers demanded payment by bitcoins in amounts from $500 to $5,000.
Topics also discussed included network design, backup and data recovery solutions, IT and regulatory policies and procedures, employee training and education.
Some simple preventative measures include:
- Implement a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e., mixture of lower and uppercase letters, numbers, and symbols.
- Make sure all network patches and anti-virus software are updated regularly.
- Review and audit all permissions in your network.
- Update and deactivate all user accounts regularly.
- Deactivate and off-board departing employees.
- Wall off, or segregate users and certain sensitive data.
- Change network and Wi-Fi passwords regularly.
Compliance policy and procedures
The Department of Health & Human Services Office for Civil Rights announced the launch of its Cyber-Awareness Initiative on February 2, 2016. The announcement included information on ransomware attacks and prevention strategies. In addition to most of the items above, the office advised implementing browser filters and installing pop-up blockers.
It also emphasized employee training and smart email practices as key to preventing cyber-attacks.
Although most of these suggestions are already requirements under U.S. healthcare privacy regulations, the information is also useful to other business with similar network security and customer privacy concerns. The suggestions are also very transferable to investment advisers and broker dealers
Direction from the SEC:
The U.S. Securities and Exchange Commission, has made cyber security a top issue since its 2014 National Exam Priorities.
Shortly thereafter the SEC followed up with a roundtable meeting on cyber security in March of 2014. Less than a month later on April 15, 2014, the SEC?s Office of Compliance Inspections and Examinations (OCIE) followed up with a Cyber Security Initiative Risk Alert that announced a round of exams. Last year a Summary of findings from the exam sweep was published.
Below are some key observations from the first round of exams:
- 83 percent of the investment advisers have adopted security policies and procedures, and also conduct periodic audits to assess compliance with such policies and procedures.
- Business continuity and disaster recovery plans are the area that most often address the impact of cyber attacks and outline the plan to resolve such incidents.
- Many firms are following external standards to model their information security architecture and processes. Most common are those published by the National Institute of Standards and Technology, the International Organization for Standardization, and the Federal Financial Institutions Examination Council.
- A majority of the firms examined are conducting firm-wide inventorying, cataloging, or mapping of their technology resources and are performing firm-wide, risk assessments to identify cyber security threats, vulnerabilities, and business consequences.
- The vast majority of the firms conduct periodic risk assessments to identify cyber security threats and vulnerabilities and thus business risk.
- Only 32 percent of advisers apply the assessments to vendors with access to their firms? networks.
- Over half of the examined broker-dealers maintained insurance for cyber security incidents, but only a small number of the advisers held similar insurance.
- 88 percent of broker-dealers and 74 percent of the advisers have experienced cyber-attacks directly or through a vendor. Most were via malware or fraudulent emails seeking to transfer client funds.
With this series of SEC warnings and an initial exam sweep, there is little doubt that the SEC is taking cyber security seriously. This was reiterated with yet another Risk Alert from OCIE in September last year. This alert announced a pending new round of exam sweeps. This time the exams will be on-site and more thorough than exams in the initial sweep, which were primarily document requests and oral interviews.
Actions for all advisers:
- Conduct periodic information technology security risk assessment and vendor reviews.
- Create and test a strategy that is designed to prevent, detect, and respond to cyber security threats.
- The strategy and reviews must be documented and memorialized as part of policies and procedures.
- Advisers must have a written incident response plan (see Enforcement Action below).
- Access rights and controls for different employees and sensitive information must be established.
- Advisers need to include in their policies and procedures training of internal staff and vendors.
- Extra attention should be placed in the areas of remote customer access (i.e., on-line account access) and funds transfer requests.
A recent SEC Enforcement Action sheds some important light on the SEC’s expectations and leaves no doubt that they will hold advisers accountable for failures. In this instance the adviser detected a breach and responded promptly. However, the SEC still fined and censured the firm for having inadequate written policies and procedures even though none of the firm’s clients reported any financial harm.
Investment advisers should have already taken these steps towards creating a cyber security protection program as part of their business continuity plan and disaster recovery plans. It is now very clear that the SEC is not going to take cyber-security lapses lightly. Therefore, firms should make sure their written policies and procedures are adequate and networks are secure. Each firm should decide the extent of their plans based on their own complexity and unique business needs. Continually testing the effectiveness of plans and documenting such testing will go a long way with regulators.
FBI: few alternatives to paying up
Companies infected with ransomware may have little practical choice but to meet the attackers’ demands, said Joseph Bonavolonta, the Assistant Special Agent who oversees the FBI?s CYBER and Counterintelligence Program in Boston.
“The ransomware is that good,” Bonavolonta told an audience of business and technology leaders at a cyber security conference. ?To be honest, we often advise people just to pay the ransom.?
“The amount of money made by these criminals is enormous and that?s because the overwhelming majority of institutions just pay the ransom,” Bonavolonta said.
The FBI’s Internet Crime Complaint Center (IC3) in June released a public-service announcement recommending steps similar to those mentioned above to keep the hackers away. It also recommended that perhaps the most important and simplest safeguard is to be skeptical of everything. Don’t click on any unfamiliar emails or attachments and avoid suspicious websites completely.
IC3 also advises subjects who suspect a ransomware attack to file a complaint with their local FBI field office.
Another simple suggestion regarding ransomware is to try stopping it before it starts. The simplest way to stop it before the program takes over is to pull the Internet connection immediately when you suspect you are becoming infected. Before ransomware can fully activate and encrypt your files it must first call back to the hacker-controlled server and get the encryption key. If one can stop the ransomware from phoning home, it won’t run.
Todd Ehret is a Senior Regulatory Intelligence Expert for Thomson Reuters Regulatory Intelligence. He has more than 20 years’ experience in the financial industry where he held key positions in trading, operations, accounting, audit, and compliance for broker-dealers, asset managers, and hedge funds.