You will get hit by ransomware. Here’s how to ensure business continuity

By Paul Robichaux, Senior Director of Product Management at Keepit

Banking and finance industry must brace for strict regulations – DORA is coming, and the impact is global.

In today’s digital landscape, it’s not a question of if your business will get hit by ransomware, but when. The rate, scope, and complexity of ransomware attacks have all increased significantly over the last two years, posing a significant and growing threat to organizations of all sizes across industries. The key to mitigating this threat lies in how well-prepared you are to bounce back when the inevitable happens.

According to a 2023 Total Economic Impact study conducted by Forrester Consulting and commissioned by Keepit, three-quarters of security decision-makers reported experiencing a breach in the last 12 months. This highlights how pervasive ransomware attacks are now, and it underscores the urgent need for robust mitigation strategies. The study emphasizes that while backups are the best insurance policy against an attack, their effectiveness hinges on being part of a well-planned and tested backup and recovery process.

What can you do to mitigate impact?

So, what steps can organizations take today to prepare for and mitigate the impact of future ransomware attacks?

First and foremost, ensure that your disaster recovery measures are in place and that business continuity is secured. This involves mapping out your critical systems and data and identifying tier-one users who need quick restoration of access in the event of an attack. Prioritize which data are crucial for resuming your normal business operations, and ensure that your backup and recovery processes are regularly tested to validate their effectiveness.

In the realm of banking and finance, additional considerations come into play. With the implementation of the Digital Operational Resilience Act (DORA) in the European Union, financial institutions around the world are facing heightened scrutiny and regulatory requirements regarding cybersecurity practices. DORA mandates improvements in incident response capabilities, placing a greater emphasis on the need for resilient backup and recovery solutions.

DORA: From the EU with love…

DORA’s impact isn’t limited to European organizations. Its require banking and finance companies doing business in the EU and companies that do business with them to meet the requirements. That means, for example, that a US organization supplying technology and communication services to improve cybersecurity at a European financial institution may have to meet the DORA regulations. Incident response, disaster recovery, and even seemingly boring back-office technology services like voice networking or print and copy management, may fall under DORA’s umbrella.

Failure to comply with DORA can result in severe penalties, including fines of up to 2% of an entity’s total annual worldwide revenues. Therefore, it’s imperative for financial firms operating in the EU, as well as their technology suppliers, to align their backup and recovery policies with the requirements outlined in DORA.

Must-haves: Segregated backup and granular recovery

Choosing backup and recovery technology that is in compliance with DORA’s requirements for backup and recovery policies, procedures, and methods is critical. The technology should align closely with the core requirements of DORA. For example, article 12.3 says that “when restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary.”

By using segregated backup systems that are securely protected from unauthorized access; by storing backup data in two separate, mirrored locations; and by maintaining full control over the technology stack, organizations can ensure the integrity and availability of critical data in the event of an attack.

Additionally, the granular data recovery capabilities provided by compliant backup and recovery solutions enable organizations to retrieve lost or compromised data quickly and easily, minimizing downtime and disruption to business operations. With the assurance of tamper-proof data integrity delivered through blockchain algorithms, compliant solutions offer a comprehensive approach to safeguarding against the impact of ransomware attacks.

And plenty of acronyms in the UK and US too: FCA, PRA, CISA and SEC

While the EU are often regarded as the frontrunner when it comes to regulations aimed at bolster cyber resilience, the UK and US are of course establishing their own regulations and setting down guidelines for specific industries.

In the UK “the FCA and PRA describe operational resilience as the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions and, accordingly, look beyond the technological aspect.” (White & Case Attorneys).

US banking regulators are in the game, too. The US Federal Reserve has spearheaded the issuance of ”Sound practices to strengthen operational resilience” as guidance, and the US Cybersecurity and Infrastructure Security Agency (CISA) have their own recommendations. Publicly traded companies fall under the guidelines issued by the Securities and Exchange Commission (SEC). Even individual states, such as New York and California, are expected to issue their own regulatory requirements. Most of these regulatory regimes have a lot of overlap with the core requirements of DORA: “have a backup, using a technology that provides isolated and tamper-proof backups, and be prepared to use it when necessary.”

While the threat of ransomware looms large, it’s not insurmountable. By proactively taking measures such as choosing robust backup and recovery solutions that adhere to regulatory frameworks like DORA, organizations can significantly lower downtime and mitigate the impact of attacks, ensuring business continuity in an increasingly volatile digital landscape.