Pub. 16 2021-22 Issue 4

NEBANKERS.ORG 10 WASHINGTON UPDATE IT’S THE MESSAGE A CEO NEVER WANTS TO RECEIVE: “WE’VE GOT your data and you need to pay up if you want it back.” Unfortunately, that message is landing in CEO inboxes increasingly often, as ransomware attacks ramp up in the U.S. In just the first six months of 2021, the Financial Crimes Enforcement Network identified $590 million in ransomware-related Suspicious Activity Reports — a 42% increase from the 2020 total of $416 million. And FinCEN reports that we could be on track to see a higher transaction value for ransomware-related SARs than we’ve seen in the past 10 years combined. Ransomware attacks — which use malware to encrypt files on a computer or mobile device and render it unusable until a ransom is paid — present companies with an unsavory dilemma: pay a ransom to a criminal actor, or lose a potentially devastating amount of data, which could seriously compromise business operations. These kinds of attacks are evolving quickly in sophistication and scope, and virtually any business could be targeted at any time. What’s perhaps most concerning is that criminal actors are increasingly targeting critical infrastructure entities, as we saw in the Colonial Pipeline incident earlier this year that caused a shutdown of a major East Coast oil provider. They’ve also begun branching out into “extortion-ware,” in which the hacker not only encrypts sensitive data but then goes the extra step and threatens publicly to release it unless the institution complies with their demands. Given the potential operational and reputational consequences of these types of cyberattacks, banks need to have a plan in advance for how they’ll respond. There are a number of factors to consider. First, while most companies choose to pay — cyber insurer Marsh McLennan reports that more than 60% of ransomware victims pay the requested ransom — it’s not To Pay or Not to Pay: Ransomware Attacks Offer an Unsavory Choice Rob Nichols, President and CEO, American Bankers Association

RkJQdWJsaXNoZXIy ODQxMjUw