Ira Winkler, chief information security officer with Skyline Technology Solutions in the US, recommends that CFOs consider ransomware prevention as a cost of doing business. In reflecting on the topic of cybersecurity insurance as a good investment, he opined that ransomware is a key purchase driver because a successful attack is expensive even if you don’t pay the ransom.
According to James McLeary, managing director for Cyber Risk at Kroll, some cyber threats are very technical in terms of response. For example, data theft can result in loss of confidentiality. A DDoS attack or some malware has implications on the availability of the organization.
“In ransomware, we are firmly in the remit of financial extortion and the CFO has a big concern and a big role to play in that respect. It brings in the aspect of, ‘what are we going to do now that we have this ransomware, do we make a payment as an organization? Or is it our risk appetite, that we will not pay to two such ransomware requests?’ [If we] have taken it to the next step of, even if we were to say. ‘Yes, we will pay, but do we have the ability to pay?’” postulated McLeary.
How involved is the CFO in cyber threats
Asked to what extent CFOs need to get involved in the lifecycle of cyber threats including ransomware, McLeary commented that finance functions themselves are regularly targeted by cyber threat actors.
He attributes to the nature of the finance function – as a keeper of sensitive and valuable data. The acquisition of such information can be used for subsequent ransomware attacks.
He also observed that CFOs are regular targets of business email compromise attacks maybe through a phishing attack.
McLeary says CFOs are risk managers themselves meaning they need to understand the risk of investments and make the right investments.
“By working closely with the security and IT leaders in the company, the CFO can ensure that the investment strategy is commensurate with the business risk. And act very much as a partner and advocate, across the organization to ensure that cyber risks are being addressed appropriately through investment,” he opined.
McLeary acknowledged that bitcoins or cryptocurrencies are a preferred payment form among attackers. Does it make sense then that a company hold cryptocurrency in the event the company decides to pay off an attacker?
While he conceded that it is generally not a good practice for a company to be making such payment directly. “There are legal considerations that would come into play and some jurisdictions are in the process of making it mandatory to report if any such payment should be made,” he continued.
“It is important that the CFO are aware of the legal implications and the cross-jurisdictional legal implications about making such payments for ransomware.”
Counter strategies against rising ransomware as a service
Researchers at Group-IB estimate that almost two-thirds of ransomware attacks in 2020 came from cybercriminals operating on a ransomware-as-a-service (RaaS) model.
An appknox blogpost attributes the growth of RaaS to the exponential growth of the international cloud structure and dark web organizations like REvil and DarkSide offering franchise RaaS capabilities to attackers.
RaaS makes the barrier of entry for someone to conduct a ransomware attack very easy and low cost.
Although McLeary is quick to claim that a lot of the global authorities have clamped down on RaaS sites, particularly the marketplaces on the dark web.
“To get around these, cyber attackers are pivoting to a new method that we're seeing coming out more as a trend which is, is called initial access brokers. This is, in effect, a cyber group who gains access to the organization and then sells that access to another cyber attack group, to simply walk in the open door, and launch their ransomware,” said McLeary.
He suggested that the CFO considers working with their security leaders to actively monitor around the dark web, to see if their company or even the CFO’s credentials, themselves, have been exposed, and they're being sold on the dark web.
As regards securing staff that work from home, he suggested that CFOs challenge some of the security investment strategies that maybe were put together pre-pandemic and make sure that they know reflect some of that new normal.
Yes or no to cyber insurance
The MarketsandMarkets forecasts the global cybersecurity insurance market in the post-COVID-19 scenario to reach US$20.4 billion by 2025, at a CAGR of 21.2% during the forecast period.
The major factors driving the market include the increasing number of sophisticated cyber-attacks amplifying the fear of financial losses, and the growing need for compliance with various upcoming regulations.
McLeary believes the CFO has a pivotal role and understanding [about the] potential loss of a cyberattack. He acknowledges that the potential loss could be catastrophic. This can be the cost of business loss, the cost of reputation and the cost of third-party support and liability.
“Of course, it is a question of the risk appetite of the organization, but I do believe that is something that the CFO should be front and centre in helping shape that risk appetite decision as to whether cyber insurance is valid and that is one way of covering potential loss on ransomware payments,” he added.
What to do following a ransomware attack?
McLeary said preparedness is key. He warns against waiting until it happens. He suggests looking at tried and tested plans in place in advance.
“This is something that the CFO can help to drive. [Does] the organization have a crisis management scenario for ransomware and has it been tested, [had] simulations and tabletop exercises being run so that people are aware of what to do,” he commented.
“I do recommend advocating for those plans to be in place to test them through simulations, and also make sure that you do have trusted partners in place that can assist."
“These are very complex matters so relying internally on decisions around ransomware payments may not be the best approach. [Having] good trusted third parties who are [used to dealing] with these types of situations regularly and can give good coaching from a crisis management perspective and can even give advice on steps to take,” he continued.
Click on the PodChat player to hear McLeary shares his opinions on options available for CFOs as they deal with the rising tide of ransomware.
- From a CFO perspective, is ransomware any different from other threats?
- Do CFOs make good cybersecurity advocates? To what extent should CFOs get involved when it comes to the lifecycle of cyber threats, including ransomware?
- We hear of some ransomware threats being conducted in cryptocurrency. Is the form of payment going to be of concern to the CFO?
- How should the CFO address the convergence in the rise of ransomware-as-a-service and other new practices, the increase in reliance on vulnerable IT systems by physical process controls, and the evolving cyber insurance market?
- Can you cite good reading material for CFOs when it comes to ransomware readiness?