Responding to a cyberattack

Cyber risk has been the number one concern in executive surveys for the last four years. Here’s everything the C-suite should know but might be afraid to ask, and should be afraid not to know! In this issue, we shine a spotlight on responding to a cyberattack.

Cyber risk has been the number one concern in executive surveys for the last four years. Here’s everything the C-suite should know but might be afraid to ask, and should be afraid not to know!

A state actor successfully infiltrates a major global bank’s custody servicing infrastructure, causing a suspension of the trading system used to process incoming messages from clients around the globe. The attackers make a triple-extortion ransom demand for $100m worth of Bitcoin within 24 hours.

“Firms should also continually exercise their crisis management, incident response, and data recovery plans to ensure rapid response and recovery from ransomware or other types of cyberattacks.”

Kenneth E. Bentsen, JR, Sifma president and CEO

Would you know what to do if it was your organization that was being targeted by a hostile government? Would your information security tools and processes be robust enough to withstand such an attack and minimize the damage? Would your organization be resilient enough to bounce back after an attack?

Financial firms, central banks, regulatory authorities, trade associations, law enforcement, and information-sharing organizations from around the world got together at the end of last year to practise responding to just such an event, at the Securities Industry and Financial Markets Association’s (SIFMA) latest cybersecurity readiness exercise.

SIFMA runs the Quantum Dawn exercise every two years, giving information security professionals the chance to come together to rehearse incident response protocols against a broad range of significant ransomware attacks targeting the financial sector.

Quantum Dawn VI was held in November 2021. More than 1,000 representatives from 240 public and private sector institutions, including financial firms, central banks, regulators, and law enforcement entities, from more than 20 countries took part, focusing on identifying potential gaps in responses.

SIFMA released its summary of key recommendations from the exercise in March 2022, and emphasised the need for cooperation in defeating the cybercriminals. “A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing,” said Kenneth E. Bentsen, Jr, SIFMA president and CEO. “No single actor — not the federal government, nor any individual firm — has the resources to protect markets from cyber threats on their own.

“Firms should also continually exercise their crisis management, incident response, and data recovery plans to ensure rapid response and recovery from ransomware or other types of cyberattacks.”

SIFMA’s Quantum Dawn VI After-Action Report’s recommendations are:

  • Make critical investments in capabilities Institutions should continue to invest in robust ransomware recovery and cyber, business continuity and information technology incident response plans, and strengthen these plans based on frequent exercises and tests
  • Create alternative communication channels for worst-case scenarios In the event that a regulatory authority is affected by a ransomware event and goes offline, firms should be ready to use alternative communications channels
  • Beware: ransom payments may not lead to data recovery SIFMA does not recommend paying a ransom. Executives need to carefully consider the realities of taking such actions, including the possibility that they still may not recover stolen data
  • Join the global directory of critical stakeholders Financial firms are strongly encouraged to join SIFMA’s Global Directory of critical stakeholders.  This directory was created to identify critical public and private sector organizations and key contacts that play a role in crisis management and global information sharing.
  • Follow best practices:
    • Validate that critical infrastructure assets are not exposed to the public internet
    • Institute controls such as self-service password management requiring a second factor to avoid being socially engineered
    • Require multi-factor authentication everywhere
    • Deploy modern-day Identity Governance and Administration systems to detect backdoor accounts
    • Use a privileged account management system to check in-and-out access to accounts or deploy even more advanced defenses for critical admin-level accounts
    • Isolate and disconnect infected machines immediately
    • Develop proactive threat hunting capabilities.