Ransomware: How can changes in regulation help against this ever-evolving threat?
The upcoming operational Resilience regulations will be taxing. But look on their introduction as an opportunity”
James Drake, Senior Director at Xcina Consulting Limited
Ransomware has been on the threat radar for many years now and is not new to many businesses or industry sectors, yet we are all still feeling the effects and the approach to dealing with this threat is varied.
Some organisations will invest in new technologies and tools to assist in its recovery from an attack, whereas some will prefer to simply pay the ransom.
While we are trying to defend ourselves against the constant threat of Ransomware, organisations are often challenged with an ever evolving legal and regulatory landscape. We all experienced this with the introduction of GDPR and there is not a day that goes by that I do not speak to a client regarding their challenges relating to this, even years after its introduction.
So, what can we do now?
It is widely recognised that good basic security hygiene measures will reduce the impact or likelihood of a Ransomware attack significantly, e.g., maintaining regular patching of critical systems or ensuring that systems and data recovery processes are in place.
If your business is in the financial sector, you may already be aware of the FCA rules coming into effect on 31/03/2022 regarding Operational Resilience. This will be a challenge, but I always look at the introduction of new rules and regulations as an opportunity. When trying to decide where to invest limited funds and resources into new security controls, the introduction of new mandatory rules is one of the best drivers for prioritisation of those resources or potentially securing more.
What are the new rules and how do they help with Ransomware?
The FCA describes “Operational Resilience” as follows:
“Operational resilience is the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption.”
The reason this is so important in terms of Ransomware is that the principles of the controls to be in place, are commensurate with the controls to significantly reduce the impact or likelihood of a ransomware attack even further. The principles are as follows:
- Identify your important business services – equally as important when designing controls to defeat ransomware.
- Set impact tolerances – Business Impact Assessment.
- Carry out mapping and testing – to a level of sophistication necessary to classify critical business services and identify vulnerabilities in its operational resilience.
- Conduct lessons learnt – >exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible.
- Develop internal and external communications plans – for when important business services are disrupted.
- Maintain a self-assessment – document detailing the firm’s Operational Resilience journey.
Whether your business is in the financial sector or not, the employment of the new FCA rules regarding Operational Resilience would significantly reduce the impact or likelihood of a ransomware attack affecting your business.