TPRM 2021: What to do before, during, and after a ransomware attack

“No one is immune from these attacks,” said Ann Chaglassian, chief compliance officer for the Americas at Mercer, at Compliance Week’s virtual TPRM conference last week. “You can have the best security program, but these attackers are certainly getting cleverer in the approach they are taking, and there’s a constant need to keep up with what’s coming next.”

Before the attack

One way to discourage ransomware is by making it less profitable for the attackers, Chaglassian said. “You can do that by investing in technology infrastructure upfront. While the cost to companies sometimes seems astronomical, it may end up saving you a lot of money and headache at the end of the day if you are implicated by any of these attacks,” she said.

A second precautionary measure to limit risk is to buy cyber-insurance. Chaglassian pointed out some caveats to purchasing cyber-insurance, like certain clauses of which certain organizations should be aware. A failure-to-maintain clause will preclude coverage for claims arising from a failure to meet “adequate” security standards, the term “adequate” being a moving target. A second red flag is a cyber-extortion clause, which will only cover the actual dollar amount of the ransom or extortion fee but no other income lost because of the attack.

At the least, companies should get comfortable with best practice cyber-security frameworks, like the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the International Organization for Standardization information security management system standards.

“You can have the best security program, but these attackers are certainly getting cleverer in the approach they are taking, and there’s a constant need to keep up with what’s coming next.”

Ann Chaglassian, Chief Compliance Officer for the Americas, Mercer

“We base a lot of our questionnaires and approach off standardized frameworks such as NIST,” said James Griffin, director of global risk and compliance operations at American Express GBT.

Chaglassian agreed: “We absolutely have a list of requirements that we want to make sure vendors are meeting. Sometimes it includes having vendors getting certified or assessed through another process, such as HITRUST … just to give yourself comfort that the vendor is meeting baseline security requirements that your own organization is also meeting.”

President Joe Biden’s May 12 executive order also offers a variety of cyber-security related standards, which include creating a cyber-playbook for responding to cyber-incidents and improving investigation and remediation capabilities.

A propos of the order’s urgency, IT solutions developer Kaseya VSA announced it was hit with a ransomware attack July 2. While the details are still unfolding, it appears the attackers (attributed to the REvil criminal group) carried out a supply chain ransomware attack by exploiting vulnerabilities in Kaseya’s VSA software. Because Kaseya VSA’s clientele includes managed service providers, the end customers of those providers, which are small- and mid-sized organizations, were also embroiled in the attack.

The Kaseya cyber-attack is yet another example of how these incidents can occur down the supply chain. One of the most important questions to ask vendors, then, is: Do you have a formal security program in place?

“It seems like a basic question, but is it at the desired security level? … Does it include formal training for both employees and their contractors? … Do they have penetration testing that’s being performed by a qualified third-party vendor, and are they willing to share those results? Does your vendor have technical prevention measures in place—things like firewalls, antivirus products, and intrusion detection?” Chaglassian said.

Ongoing cooperation with the vendor should be negotiated at the contractual stage.

“Exercis[e] audit provisions in contracts to do an audit of your vendor. … As long as the vendor is willing to provide that information, I think that leads to a great collaborative relationship where everybody’s information is being protected from the myriad threats out there,” Chaglassian said.

When risk ranking vendors, Griffin said it comes down to two factors: what the vendor is going to be doing (i.e., accessing versus hosting data) and what kind of data they are touching.

The type of data is particularly critical. “Are they touching personally identifiable information? What state or federal laws are implicated by that? I think that contributes a lot to the ranking of the vendor,” Chaglassian added.

It’s almost as important to prepare for business continuity in the event of a ransomware attack.

“When you think about a ransomware attack, you’re dealing with both the area of service continuity, the impact to the services that you’re providing your own clients, and then also the impact to the data,” Griffin explained.

Finally, have a fire drill, suggested Griffin. Conduct a tabletop exercise where the organization goes through a hypothetical ransomware attack, identifying exactly which people and groups should be involved in the decision-making and when, how the decision will be properly escalated, and where any gaps in communication may exist.

During and after the attack

When an incident occurs, it’s time to kick off the incident management program.

“You want to understand what has taken place, make sure the right folks internally are involved, and make sure the right communication channels are opened up with the vendors to understand what the service [and] data implications are and where the vendor is in the process of its own incident management program in responding to the threat actor,” explained Griffin.

Another important step is to enlist the help of a party with appropriate expertise, whether that’s internally or via an outside cyber-security professional company. That party can come in and assist the organization with eradicating the threat.

TPRM session moderator Nik Fuller of OneTrust asked the question: Who gets a seat at the table on whether to pay the ransom? The answer is a lot of individuals: senior business leaders; board members; outside counsel; and representatives from legal, audit, finance, and more.

Should the company pay or not pay? The Federal Bureau of Investigation has stated it does not support paying ransom, but it’s not illegal either.

Whether to pay needs to be weighed on a case-by-case basis. “You can look at it from both perspectives. If you’re paying the attacker, you’re encouraging even more ransomware attacks; but in some cases, businesses don’t have the option. It’s the option of paying or going under,” said Chaglassian.

After the incident has been eradicated by whatever means necessary, it’s time to conduct a post-incident activity to ensure the organization understands what happened so it can improve its security posture moving forward.

A postmortem can also help to restore trust between an organization and its vendor in cases where the vendor was subject to the ransomware attack.

“If that vendor didn’t have multi-factor authentication, and as part of the postmortem that’s identified, they should implement that. You can do monitoring activities six months per year down the road to see whether they actually did implement it,” Chaglassian said.