Data breaches are happening every day, and presently, they are often accompanied by ransom demands. It used to be that most ransomware simply encrypted a firm’s data and wanted to get paid for the key to decrypt it again. The answer to this kind of attack is pretty simple: make and securely store backups of your data so that you can reload your systems without paying ransom. This works, but some concerns still pay the ransom to avoid downtime while backups are accessed and systems restored. Unfortunately, the bad guys have a worse trick up their sleeves: threatening to publish your data on the Internet if you don’t pay the ransom.
This is a very thorny problem. If you don’t pay, you are going to have private personal and financial data of your clients exposed, which is going to lead to regulatory scrutiny and loss of business. If you do pay, you are out the expense and you have no guarantee that the cybercriminals won’t publish your data anyway.
Besides ensuring that your data doesn’t get compromised in the first place, the only thing that wealth management firms can do to thwart this problem is ensure that their incident response plan is complete and ready to invoke at a moments notice. This takes good communications, especially internally. This is the responsibility of the CISO in most firms.
The first thing the CISO should do once the incident is validated is to notify the incident response team and get them working on containing the incident and researching how it was perpetrated. From there, the CISO should handle communications. All incident-related communications should go through the CISO. The team should communicate their findings with the CISO, and the CISO in turn should communicate pertinent information with the Board of Directors. They are primarily responsible for the information security program at the firm, and decisions on further communications with regulators, law enforcement and clients should come from them. It is also their responsibility to decide how ransomware demands are to be addressed.
To perform all these functions quickly and efficiently, communications methods and responses to incidents should all be pre-planned and included in the incident response plan. It is also important to practice responses to various likely incident scenarios (table-top exercises are generally used for this). These practice sessions help to speed up actual incident responses and expose holes in the plan that could cripple the response if not corrected.