CM December 2023

More documents

Recommendations

Info

INFORMATION SECURITY Held to ransom Ransomware is a growing concern. So what can you do about it? AUTHOR – Andrew Northage IN a recent joint blog post, representatives from the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) explained their increasing concern about what happens behind the scenes when ransomware attacks go unreported. The blog debunked a number of common myths relating to ransoms that invariably lead to trouble. Common misunderstandings included ‘if I cover up the attack, everything will be ok,’ ‘reporting to the authorities makes it more likely your incident will go public,’ and ‘paying a ransom makes the incident go away.’ In reality, the truth couldn’t be more distant. The financial sector a risk In July 2022, TechCrunch reported that a ‘ransomware attack on a debt collection firm is one of 2022’s biggest health data breaches.’ As the story outlined, a USbased professional finance company, which contracts with organisations to process customer and patient unpaid bills and outstanding balances, disclosed that month that it had been hit by ransomware the prior February. TechCrunch noted that the company said in its data breach notice that more than 650 healthcare providers were affected by its ransomware attack, adding that the attackers took patient names, addresses, their outstanding balance and information relating to their account. It said that in some cases dates of birth, social security numbers and health insurance and medical treatment information were also taken by the attackers. Overall, the U.S. Department of Health and Human Services reckoned that more than 1.91m patients were affected by the cyberattack. And a year later, to the day, Comparitech published research that detailed that since 2018, ransomware attacks on the finance sector have cost the world economy $32.3bn in downtime alone. It stated that from 2018 to June 2023, 225 financial organisations had been hit by a ransomware attack. It added that ransom demands varied from $180,000 to $40m but on average, hackers demanded $6.9m; and that downtime varied from one day to The regulations provide for the imposition of asset freezing and travel bans on persons involved in relevant cyberactivity. Other UK sanctions, known as sectoral sanctions, can restrict and prohibit certain activities, such as the transfer of funds to or from other jurisdictions. 52 days, but the average downtime from attacks varied from 10 days to 14 days. If it’s scant relief, 2021 was the worst year for attacks on financial services organisations with 86 attacks. However, in 2022 there were still 39 attacks and to June 2023, 24 thus far. One of the biggest, albeit unconfirmed, ransoms was against Bank Syariah Indonesia’s (BSI) $20m in May 2023. BSI was targeted by LockBit who demanded $20m in ransom. The bank refused to pay and LockBit has since leaked 1.5TB of data which is alleged to include the personal and financial information of 15m customers. And then there was UK-based insurance company, One Call, that was hit by a £15m ransom from DarkSide in May 2021. No confirmation was given as to whether the company paid the ransom but it did take around 12 days for systems to be restored. With ransomware attacks on the rise within the financial sector, what are the risks and how should financial services organisations respond? The risks outlined Ransomware is malicious software – also known as malware – which prevents a victim from accessing their devices and data. Ransomware usually involves encryption of a victim’s files and extortion of a ransom payment in return for a decryption key to release the seized data. Ransomware attacks can involve exfiltration of a victim’s sensitive data, the threat of leaking information and contacting the victim’s customers, associates or employees. Ransomware can also be used to manipulate victims into complying with demands for other criminal purposes, or to advance personal or political agendas. Ransomware therefore represents risks to individuals, to businesses, and even to national security. The UK Government doesn’t condone the making of ransomware payments – because there’s no guarantee payment will result in release in any event; and, perhaps even more crucially, because such payments perpetuate the threat. Under current English law it’s not illegal to pay a ransom per se. However, making a payment in response to a ransomware attack can expose the victim and any Brave | Curious | Resilient / www.cicm.com / December 2023 / PAGE 20
Ransomware can also be used to manipulate victims into complying with demands for other criminal purposes, or to advance personal or political agendas. Ransomware therefore represents risks to individuals, to businesses, and even to national security. organisation involved in facilitating the payment (such as a financial institution acting in its transactional capacity on behalf of the victim) to other civil and criminal liability. The distinction may be subtle, but it’s crucial. Civil liability could include breaches of data protection legislation, contractual breaches (financial institutions may have contractual obligations with customers or business partners that require them to maintain certain security standards and promptly report security incidents) and regulatory breaches. Criminal liability, such as money laundering offences, could arise if the ransomware attack involves the receipt or transfer of funds that are the proceeds of criminal activity. Deliberately concealing a ransomware attack or impeding a criminal investigation could amount to obstruction of justice. And, in some case, failing to report a ransomware attack that affects the financial institution's customers or ongoing operations could result in the commission of a fraud or misrepresentation. It should be remembered that every ransomware attack that is hushed up – with no investigation, information-sharing or lesson-learning – makes other attacks more likely; that as well as the risk of civil and criminal liability, financial institutions involved in ransomware attacks or making ransom payments could be under a regulatory obligation to report cyberattacks; and liability for financial services organisations can result from ransomware even where, on the face of it, data may not (yet) have been stolen or leaked. The NCSC and ICO recommend that as soon as there is any intimation of a ransomware attack, organisations should assume that data has been compromised. Ransomware and sanctions The UK operates a cyber sanctions regime that includes regulations such as the Cyber (Sanctions) (EU Exit) Regulations 2020, aimed at furthering the prevention of cyberthreats like ransomware. The regulations provide for the imposition of asset freezing and travel bans on persons involved in relevant cyberactivity. Other UK sanctions, known as sectoral sanctions, can restrict and prohibit certain activities, such as the transfer of funds to or from other jurisdictions. continues on page 22 > Brave | Curious | Resilient / www.cicm.com / December 2023 / PAGE 21
Page 1 and 2: CREDIT MANAGEMENT CM DECEMBER 2023
Page 3 and 4: SEAN FEAST FCICM MANAGING EDITOR Ed
Page 5 and 6: 28 THE SCORES ARE IN CICM GOVERNANC
Page 7 and 8: NEWS ROUNDUP Seven million adults f
Page 9 and 10: NEWS ROUNDUP “It’s encouraging
Page 11 and 12: Screen your clients against 1,100 w
Page 13 and 14: Whatever the next 12 months has in
Page 15: “We are proud to be the first BNP
Page 18 and 19: Thursday 1st February 2024 Royal La
Page 22 and 23: INFORMATION SECURITY AUTHOR - Andre
Page 24 and 25: ECO WARRIOR Invoice Finance can sup
Page 26 and 27: CONSUMER CREDIT SCHOOL’S OUT Coll
Page 28 and 29: CONSUMER CREDIT The scores are in A
Page 30 and 31: CONSUMER CREDIT AUTHOR - Emma Steel
Page 32 and 33: Towering above the competition At W
Page 34 and 35: COUNTRY FOCUS South Korea is a dest
Page 36 and 37: COUNTRY FOCUS AUTHOR - Adam Bernste
Page 38 and 39: International Trade Monthly round-u
Page 40 and 41: INSOLVENCY Downward Spiral Are the
Page 42 and 43: CICM TRAINING Training courses that
Page 44 and 45: Introducing our CORPORATE PARTNERS
Page 46 and 47: Introducing our CORPORATE PARTNERS
Page 48 and 49: STATISTICS Data supplied by the Cre
Page 50 and 51: LOOKING FOR YOUR NEXT CAREER MOVE?
Page 52 and 53: HR MATTERS Love action Blowing the
Page 54 and 55: NEW AND UPGRADED MEMBERS Do you kno
Page 56 and 57: Cr£ditWho? CICM Directory of Servi
Page 58 and 59: Cr£ditWho? CICM Directory of Servi
Page 60: Brave | Curious | Resilient / www.c

CM December 2023

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?