How the Financial Sector Could Fight Ransomware
November 3, 2021
November 3, 2021
Hard to believe it has been six years since U.S. banking regulators issued their “Cyber Attacks Involving Extortion” joint statement. The alert seems prescient now given the rapid increase in ransomware attacks across all industries. In fact, all three extortion tactics mentioned in the alert—Distributed Denial of Service, stealing sensitive data, and ransomware—are now being combined by cyber attackers to extort money and fuel the criminal underground.
Impacts of these attacks have raised alarms across both public and private sectors. In response, the U.S. administration and lawmakers are putting forth considerable effort to discourage government agencies and private sector companies from paying ransoms, as well as exerting pressure to increase incident reporting and enhance third-party risk management. As Accenture’s Global Security lead Kelly Bissell stated in a recent article on The Cipher Brief, “On paper the prevention incentives make perfect sense – if the victim cannot pay, then why attack? On the other hand, the ‘pay, no pay’ decision is rarely clear-cut.”
While there are no easy answers, insurance companies, and capital markets firms could work with regulators to make it harder for cyber criminals to be successful. By joining forces through the existing public-private sector partnership, the financial service sector could develop and implement a framework to reduce ransomware’s impact for all companies. This framework could include approaches that:
One of the main constraints to combatting ransomware is the ability to identify and prevent crypto-payments to known threat actors. These unregulated forms of payments provide the anonymity that cyber criminals need to remain beyond the reach of banks and law enforcement. However, as cryptocurrencies become more mainstream, it is time that banks and regulators join forces to develop supervisory systems for digital currencies and offer digital currency tied to their countries’ fiat currencies. A recent survey found that 80% of the world’s central banks are already engaged in research or experimentation toward developing a central bank digital currency. In May, the Digital Dollar Project launched several pilot programs to measure the value of and inform the future design of a U.S. central bank digital currency. By working collaboratively with policymakers and regulators, banks can harness the value of digital currency while improving the transparency around what payments are going to illicit actors.
For years the underwriting process for cyber insurance has lacked sufficient data to inform the actuarial models to properly assess the risk and value of policies. However, with rise in ransomware attacks, insurance companies have a greater volume of data to assess risk. As a result, many companies have seen both premiums and deductibles rise. In some instances, insurers have added new limits on cyber coverage or terms and conditions, limiting or prohibiting reimbursement of ransomware payments. The U.S. Government Accountability Office cites rates for at least half of cyber insurance buyers went up 10 to 30 percent in late 2020, while some industry experts report that companies have seen premiums increase by as much as 50 percent.
With these higher rates and lower limits, many underwriters are now requiring clients to provide proof of their cybersecurity measures through independent assessments. For example, failure to implement multifactor authentication might result in a rejection. In some cases, companies with stronger security measures are being rewarded with higher coverage caps or lower premiums.
This approach—rewarding companies with better premiums, terms, and coverage amounts for having strong security measures —is a step in the right direction. Unfortunately, insurance companies are not working from a standard set of security best practices. This results in inconsistent and confusing outcomes from the underwriting process for companies seeking cyber insurance. A way to remedy this is to have insurance associations and CISA work together on a set of cybersecurity standards (e.g., good, better, best) to demystify how companies could earn better rates and, ultimately, raise their security and resilience maturity.
Another area that could enable and encourage companies to strengthen their security measures is to create voluntary guidelines that help investors determine the security resilience of companies they invest in. Investors are increasingly concerned about revenue losses resulting from ransomware attacks, including operational impacts to business, direct losses from ransomware payments, and frustrated customers who move their business to competitors. Adding to these losses is the reputational damage from media reports and public outcry, which can lead to additional scrutiny by regulators. Producing a set of voluntary security and resilience guidelines for investors could provide an accelerator to incent companies to improve their security and resilience against these attacks.
Now that ransomware attacks are impacting critical infrastructure, we must consider the societal impacts of these attacks and create a framework that improves transparency of payments to better track illicit activities of cyber criminals. Furthermore, by implementing a common set of insurance underwriting standards and investor strategies– we can raise companies’ security maturity making it harder for attackers to be successful. While these actions may not solve all aspects of ransomware, working together through our existing public-private partnerships can go a long way toward making it better.
Attending FinCyber? Join me on November 3 for a fireside chat with Accenture CISO Kris Burckhardt on Lessons Learned from Lockbit2.0 Ransomware Incident.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.