Written By Ruth Promislow, Simon Grant and Fatima Kawar
Ransomware continues to present an increasing risk to all organizations. Ransomware attacks can involve the installation of malicious software designed to block access to computer systems and/or steal data, and a corresponding extortion demand for a ransom fee. The threat and impact of these attacks has grown dramatically as a result of the following:
- increasing numbers of criminal-actor groups targeting organizations of all sizes and in all industries;
- vastly increased ransom payment demands;
- increasing sophistication of the attack methods; and
- evolving strategies of the threat actors to steal data (in addition to encrypting it) and publicly 'shame' organizations who refuse to pay the ransom demands.
The rising threat of ransomware and the role of financial sector entities in the fight against ransomware has been highlighted by recent government advisories in Canada and the United States, which are summarized below. Specific guidance is provided to federally-regulated financial institutions (FRFIs) which requires a comprehensive review of existing policies and protocols to ensure compliance, as well as preparedness for this risk.
Canadian Guidance and Requirements
The Office of the Superintendent of Financial Institutions (OSFI) in Ottawa recently released an updated advisory that imposes enhanced requirements on how FRFIs should disclose and report technology and cyber security incidents. The updated Technology and Cyber Security Incident Reporting Advisory (the Updated OSFI Advisory) supersedes the initial advisory which was released in January 2019 (the 2019 OSFI Advisory) and summarized in our previous insight, Technology and Cybersecurity Incident Reporting: New Guidance from OSFI.
Criteria for Reporting in Canada
The Updated OSFI Advisory provides significant changes to the criteria of a reporting incident:
- The definition of "technology or cyber security incident" is broadened to include "an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information." In comparison, in the 2019 OSFI Advisory the incident had to be assessed to materially impact the normal operations of a FRFI.
- Unlike the 2019 OSFI Advisory which limited reporting to incidents "assessed by a FRFI to be of a high or critical severity level," there is no minimum severity level threshold for the reporting of an incident to OSFI. Instead, FRFIs must define priority and severity levels within their incident management frameworks; however, the Updated OSFI Advisory does not set guidelines for these frameworks. If uncertain whether an incident should be reported, FRFIs are expected to consult their lead supervisor at OSFI.
- The Updated OSFI Advisory provides a revised and expanded list of characteristics of a reportable incident, while amending previous characteristics by removing qualifiers such as "material," "significant" and "extended". Even if an incident does not have one or more of the identified characteristics, the Updated OSFI Advisory still encourages FRFIs to report the incident. OSFI emphasizes that any one or more of the characteristics could trigger a reporting obligation.
Some examples of characteristics which trigger a reporting obligation include:
- Impact has potential consequences to other FRFIs or the Canadian financial system;
- Disruptions to business systems and/or operations;
- Operational impact to key/critical systems, infrastructure or data; or
- Impact to a third-party affecting the FRFI.
The following is a list of newly added characteristics which trigger a reporting obligation:
- Disaster recovery teams or plans have been activated or a disaster declaration has been made by a third party vendor that impacts the FRFI;
- A FRFI's technology or cyber incident management team or protocols have been activated;
- An incident that has been reported to the Board of Directors or Senior/Executive Management;
- A FRFI incident for which a Cyber insurance claim has been initiated;
- An incident assessed by a FRFI to be of a high or critical severity, level or ranked Priority/Severity/Tier 1 or 2 based on the FRFI's internal assessment; or
- Technology or cyber security incidents that breach internal risk appetite or thresholds.
Reporting Requirements in Canada
The Updated OSFI Advisory includes changes to the reporting requirements:
- FRFIs must report technology or cybersecurity incidents "within 24 hours, or sooner if possible." Previously, the reporting timeframe was "as promptly as possible, but no later than 72 hours."
- FRFIs are required to submit an initial report to the Technology Risk Division (at TRD@osfi-bsif.gc.ca) as well as the FRFI's lead supervisor. The 2019 OSFI Advisory only specified the information required in the report and did not include a form. Now, incidents must be reported using the new OSFI Incident Reporting and Resolution Form provided in Exhibit II of the Updated OSFI Advisory. The new form adds guidance on the type of information OSFI requires from FRFIs and provides pre-set response options.
- The Updated OSFI Advisory now indicates a preference for initial reports to be submitted electronically. If the FRFI is unable to submit electronically, notification by telephone followed by a paper submission is acceptable.
- In addition to the initial report, FRFIs must provide regular updates as new information becomes available, and until all details about the incident have been provided. These subsequent updates can be provided in any form, however, OSFI may request that the FRFI change the method and frequency of subsequent updates in certain cases. The guidance relating to subsequent reporting has not changed since the 2019 OSFI Advisory.
- After the incident is closed, the FRFI is must submit to OSFI a post-incident review and lessons learned report. This guidance has not changed since the 2019 OSFI Advisory.
Failure to Report
The Updated OSFI Advisory sets out new potential consequences for FRFIs failure to report a technology or cybersecurity incident.
- The failure to report may result in increased supervisory oversight, which could take the form of enhanced monitoring of activities, being placed on a watch list, or being staged in accordance with OSFI's supervisory intervention approach. OSFI's Guide to Intervention for Federally Regulated Deposit-Taking Institutions aims to communicate at which stage an intervention would typically occur but circumstances may vary from case to case. There are four stages that are of main concern and OSFI will place a FRFI in a stage based on its risk assessment:
- A FRFI is categorized as Stage 1 (Early Warning) when OSFI identifies deficiencies that are significant, but do not yet make it concerned about the FRFI's safety or soundness. At stage 1, OSFI may issue a supervisory letter, meet with the FRFI to outline concerns and discuss remedial actions, monitor the FRFI on an escalating basis, and conduct enhanced or more frequent supervisory reviews.
- Moving a FRFI to Stage 2 (Risk to Financial Viability or Solvency) means the FRFI poses concerns about its safety and soundness. While there are no immediate threats to its financial viability or solvency, the FRFI is vulnerable to adverse business and economic conditions. At Stage 2, OSFI may enhance monitoring through reporting requirements, conduct follow-up supervisory reviews, require the FRFI to incorporate remedial measures in its business plan, require the FRFI's external auditor to expand their scope of review, require the FRFI to conduct a special audit, and to develop a contingency plan to enable OSFI to take rapid control of the assets if necessary.
- A FRFI is moved to Stage 3 (Future Financial Viability in Serious Doubt) when OSFI finds that the FRFI has failed to remedy problems identified at Stage 2. Stage 3 suggests the FRFI "has severe safety and soundness concerns and is experiencing problems that pose a material threat to its future financial viability or solvency unless effective corrective measures are promptly undertaken." At Stage 3, OSFI may direct external specialists to assess certain areas, enhance the scope of business restrictions, imbed OSFI staff in the FRFI's operations, expand contingency planning, and ask the FRFI to consider options such as restructuring or seeking a prospective purchaser.
- If a FRFI is categorized as Stage 4 (Non-Viability/ Insolvency Imminent) OSFI has determined the FRFI is experiencing severe financial difficulties and is on the brink of non-viability. At Stage 4, OSFI may assume temporary control of the assets of the FRFI, take full control of the assets of the FRFI, or request that the Attorney General of Canada apply a winding-up order in respect of the FRFI.
Other Guidance for Canadian Organizations
In an open letter dated December 6, 2021, the Canadian Ministers of National Defence, Public Safety, Emergency Preparedness and International Trade, Export Promotion, Small Business and Economic Development reviewed the significant rise of ransomware threats and offered guidance to curb this trend. The Ministers refer to a cyber-threat bulletin and a ransomware playbook recently published by the Canadian Centre for Cyber Security as guidance for best practices to protect against cyber threats.
United States Advisories
The United States Department of the Treasury Financial Crimes Enforcement Network (FinCEN) issued a new advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments in November 2021 replacing FinCEN's October 2020 guidance. In this new advisory, FinCEN highlighted the increased frequency and severity of ransomware attacks against critical U.S. infrastructure. This trend pattern (as noted in the Financial Trend Analysis report issued by FinCEN on October 15, 2021) was derived from financial institutions' Suspicious Activity Reports. Between January 1, 2021 and June 30, 2021, 635 SARs were filed and 458 transactions were reported, which shows an increase of 30 percent from the total of 487 SARs filed for the entire 2020 calendar year.
FRFIs should be vigilant in ensuring that they have robust risk-management frameworks and corresponding policies and procedures in place to prepare for ransomware attacks and corresponding compliance obligations. Preparation includes:
- Data mapping: A detailed and thorough mapping of all categories of data in the custody or control of the entity, the places in which such data resides, a sensitivity analysis of the data and a summary of reporting and notification obligations in the event of a compromise of each category of data (including regulatory and contractual obligations).
- Risk assessment: An assessment of the risks to the organization and the impact from those risks. The risks may include encryption of information required for operations, exfiltration of sensitive/valuable data, compromise of third party confidential information and public shaming by threat actors based on exfiltration of data. The impact assessment should include an analysis of costs to the organization should any of the risks materialize, as well as the risk to third parties and the corresponding litigation risk to the organization.
- Vulnerability assessment: With an overview of the risks to the organization, an assessment of where the vulnerabilities within the organization lie (e.g. human error, the absence of specific protocols to ensure that policies are adhered to, or the continued availability of legacy protocols which cannot be secured against threats).
- Policies & Procedures: With a view to the risks and vulnerabilities, a set of policies and protocols designed to minimize the risk and severity of attack, and optimize the ability to quickly identify, contain and remediate an attack.
- In particular, incident response plans should be updated so that FRFIs are prepared to report the expanded category of incidents and within the expedited timeline of 24 hours. The ability to comply with this expedited reporting timeline requires organizations to ensure they have the proper protocol in place to quickly escalate concerns and identify reportable incidents, mobilize the incident response team at any time, and have the appropriate internal representatives and external experts engaged from the first possible moment.
- Third-party contracts should be reviewed to ensure that required provisions are included to address revised compliance obligations. For example, to the extent that a compromise of a third-party service provider would trigger reporting obligations of the FRFI, the third party agreements may need to be revised to address the expedited reporting schedule and expanded category of reportable incidents.
- Protocols for processing payments should be reviewed to address the revised FINCEN requirements.
- Testing: Regular testing of the effectiveness of the policies and protocols, and revisions to address gaps and evolving threats.
- FRFIs should undertake a tabletop exercise to test their incident response plan with the new reporting requirements.