The financial services sector faces a number of data protection risks and compliance tasks, but enforcement action and reputational risk often congregates around two issues – security breaches and direct marketing failures.
Businesses operating in the financial services sector are particularly at risk from data security incidents and malicious attacks. We consider the various forms and what your business can do to prepare and reduce risk.
Ransomware is a particular type of security breach where malware (malicious software) is used to encrypt the electronic files of its victims. A ransomware attack is always accompanied by a ransom demand, offering a decryption key in exchange for payment. These attacks have been on the rise in recent years and are expected to continue in 2023.
The ransomware-as-a-service (RaaS) business model allows individuals with little technical knowledge or coding skills to purchase and execute ransomware attacks by leasing malware from developers. The profits are then typically split between the developer and the attacker. It is anticipated that the popularity of RaaS will continue in 2023 due to the continued rise of initial access brokerage and its ease of use.
The potential for an increase in the use of RaaS may also be exacerbated by the looming global economic recession, as financial challenges may lead to a rise in hackers-for-hire willing to launch attacks in exchange for payment.
Double (or triple) extortion
Traditionally, ransomware attacks focused on encrypting a victim's data, making it unavailable to an organisation unless a ransom is paid in exchange for the decryption key(s). However, in recent years, there has been a rise in the use of double extortion attacks, which involve not only holding the victim's data for ransom but also threatening to sell it or publish it online. This allows attackers to potentially extract two payments from their victims - one for the ransom, and another to prevent the online publication or onward sale of sensitive data.
According to research from CipherTrace, double extortion ransomware attacks increased by nearly 500% in 2021. In 2022, double extortion continued to be part of the threat landscape and we expect that many ransomware attacks in 2023 will include the threat of a data leak.
There have also been increasing reports of triple extortion attacks, in which the attackers not only hold the victim's data for ransom and threatens its sale or online publication, but also engages in other activities that enables extortion such as follow-on or secondary attacks aimed at the impacted organisation, its business partners or its associates. As cybercriminal groups continue to evolve and become more sophisticated, we anticipate that the use of triple extortion as a tactic will increase.
To pay or not to pay?
In recent years, the issue of ransomware has garnered significant attention within the field of cybersecurity due, in part, to the ethical and legal implications of paying ransoms to cybercriminal groups. Many experts assert that such payments not only sustain the cycle of attacks, but also potentially provide funding to nefarious organisations, including those under sanctions or designated as terrorists.
In response to these concerns, there is likely to be increasing scrutiny on responders and investigators in relation to the processes they follow to identify and accurately attribute ransomware actors to ensure they are not on sanctions lists.
Concerns surrounding the payment of ransoms extend beyond the question of sanctioned parties, as there is a general belief that making payments to individuals or groups who have illegally accessed systems is ethically problematic due to their connections to other forms of criminality. As the frequency of ransomware attacks persists, it is expected that the debate over the ethics and legality of paying ransoms will remain a prominent issue in 2023 and may eventually result in legislative or policy actions at national levels.
How can you prepare?
Raising employee awareness
To effectively prepare for a ransomware attack, it is essential for organisations to prioritise raising employee awareness about the risks of such attacks and how to prevent them. Employees are frequently the primary source of data breaches, and it is therefore imperative to provide them with the knowledge and tools necessary to safeguard against ransomware attacks. This can include providing training on safe browsing and email practices, such as avoiding clicking on links or opening attachments from unknown sources.
It is important to cultivate a culture of cybersecurity within your organisation. This can involve reminding employees to be vigilant about potential threats and encouraging them to report any suspicious activity. By making cybersecurity a priority and empowering employees to take an active role in preventing attacks, organisations can better protect themselves against the threat of ransomware.
Involvement and leadership of the C-Suite
The involvement and leadership of the C-suite is crucial in effectively preparing for and responding to a ransomware attack. The C-suite should ensure that the necessary resources, both at a technical and personnel level, are available.
Playbooks and policies
Playbooks should be developed to support an organisation's preparations for and activities during a ransomware attack. The playbook should outline the steps to be taken in the event of an incident and include information such as how to prevent the spread of ransomware, how to recover from backups, and how to communicate with stakeholders.
It is also important for organisations to regularly review and update their cybersecurity policies and procedures.
Defense in depth
An effective way for organisations to protect themselves against ransomware attacks is to implement a defense in depth strategy. Defense in depth is a cybersecurity strategy that involves layering multiple defenses at different points within an organisation's network. This creates a multifaceted defense system that is better equipped to withstand an attack. By implementing various technical and procedural measures, such as firewalls, intrusion prevention systems, and endpoint protection, organisations can create a defense in depth strategy to protect against ransomware attacks and other cyber threats.
Adtech or advertisement technology is a term used to describe technologies that connect advertisers with target audiences, through publishers. The technologies can include banner advertising on the advertiser's or publisher's website, paid-for search (where advertisers pay for their details to appear at the top of search results) and online video adverts, amongst other things. Adtech plays a crucial role in the financial services sector by providing technology-driven solutions to help financial institutions reach their target customers, gather valuable data, and improve their overall customer engagement and experience.. By leveraging adtech, financial institutions can gain insights into consumer behaviour, improve marketing efficiency, and develop targeted financial products and services to better meet customer needs and preferences.
In 2023, we are likely to see increased regulatory, privacy activist and litigant scrutiny of adtech as they seek to address their concerns about data privacy.
Transparency and consent
At the heart of many of the challenges to the use of adtech are concerns about the intrusive profiling of website users, without appropriate transparency and gaining valid consent.
What can you do?
It is important for companies in the financial services sector who are planning on employing adtech, to take crucial steps to ensure that they are operating in a transparent and consent-driven manner.
Additionally, it is important to review the overall design of the website or platform to ensure that it is compliant with relevant laws and regulations, and to avoid the use of so-called "dark patterns" that may be designed to manipulate users into providing consent without fully understanding the implications.
Finally, it is important to stay up to date on developments in relevant legal frameworks in the different jurisdictions your organisation operates in, as there is a lack of regulatory and enforcement uniformity.
Businesses operating in the financial services sector are particularly at risk from data security incidents and malicious attacks. We can help your business prepare and reduce risk.
Contact our expert team: James Drury-Smith, Mark Hendry, Isaac Chulu Chinn or Tughan Thuraisingam for more advice.