Cybersecurity

To Pay Or Not to Pay… And Then What?

Tammy Bangs

May 31, 2017

Blog-2017-05-31

I’ve been getting a lot of questions recently about the meaning of Cyber Resiliency.

What is Cyber Resiliency?

Wikipedia’s definition: “Cyber Resilience refers to an entity's ability to continuously deliver the intended outcome despite adverse cyber events.” In other words, it’s a migration from the strategy of protection by prevention only – into a posture of proactive readiness to address a cyber security breach or hack on every level, when it occurs, in a manner that is much less reactive than previously deemed acceptable. It’s not if you experience a breach … it’s when.

Identifying the steps that are necessary to recover and resume your business operations once a breach occurs is absolutely critical for your FI. Having rehearsed those steps, answered the myriad of questions, and identified multitudes of “what ifs” is a huge part of what could equate to your successful recovery from such an incident. If you fail to plan, you plan to fail. This is never as true as in the incident of recovery from some kind of catastrophe – cyber or otherwise. As the rate of malware infections rise exponentially, and the rate of ransomware reaches an all-time high, we understand the duty you have to protect your customers’ information and to resume your operations as swiftly and efficiently as possible after the event.

Consider this in the instance of a data ransom: would your FI pay or not pay the criminals who have hijacked your data? You don’t want to pay and you know you shouldn’t pay … but when the rubber meets the road, would you? What if it was a “reasonable” amount? What if another FI you know paid and got their data back? How can you verify that your data wasn’t tampered with while under control of a malicious group? These are the types of decisions that must be made in the event of a data ransom, and if you’ve never had the conversation with your Board of Directors or Executive Management, it will be a much more difficult row to hoe when you’re working against a hacker’s deadline. Philosophically and practically, how would you respond?

The FBI has issued directives for businesses NOT to pay, but if you did pay, would you be violating a regulation? Would you be breaking the law? What is the reputational risk associated with paying versus not paying? What if the ransom you paid funded terrorists? Human trafficking? We have heard reports of large businesses and FIs buying up bitcoins to use in the data ransom type of event described above. Obviously some FIs elect to pay. Some don’t. What if you pay, and don’t get the data back? What if you get the data back but it’s been copied and sold on the dark web? Understanding and contemplating those potential consequences are vital. It’s not about the ransom itself at all. It’s about the implications and risks associated with paying or not paying. A convincing case can be made on each side of the argument. You may believe that your FI would never consider paying, taking a “we don’t negotiate with terrorists” stance. Well, if you don’t have that discussion prior to having an incident occur, you could be surprised by the ensuing conversation and recommendations made by your team.

If you are interested in exploring this fascinating topic further, join my team as we discuss it at length during our complimentary educationally-focused Risk Forums. We have dates scheduled across the country between now and June. Click below to find out more about how you can take advantage of our expertise in how you can plan not to fail in the event of a cyber event!