Mitigating Cyberattacks

QUESTION 

Well, it finally happened! We were hit with a cyberattack. We’re a small bank but have handled our cybersecurity carefully and passed safety and soundness exams. Yet, we were attacked. It seems nobody is safe! 

We don’t know where the attack came from, but a new computer consultant thinks our cybersecurity will need to be improved. She is especially concerned about internal threats by employees who do not follow our system rules. 

We would like you to suggest the types of proactive measures we should take to protect ourselves from cyberattacks. 

In what ways can we mitigate cyberattacks? 

ANSWER 

Your organization must be vigilant in protecting your data and operations from all threats, including ransomware, phishing, social engineering leading to business email compromises, and distributed denial-of-service (DDoS) attacks. The attacks include incidents directly related to critical vulnerabilities. 

All financial institutions and associated entities should take immediate and comprehensive action to protect their systems, sensitive data, and the financial well-being of their members. 

I will recommend certain primary mitigation steps and best practices. Monitoring, testing, and training must be ongoing to safeguard against evolving cyber threats. 

Here are nine proactive measures you can take to mitigate cyber threats. 

MITIGATING CYBER THREATS

1. Multifactor authentication 

Implement multifactor authentication for all sensitive accounts and systems, including email accounts and remote access portals. This measure adds an extra layer of protection against unauthorized access and phishing attempts. 

2. Employee cybersecurity awareness training 

Conduct regular cybersecurity training for all employees to raise awareness about phishing, social engineering, and other common attacks. Educate employees about the risks and implications of clicking suspicious links or opening malicious attachments. 

3. Email security and anti-phishing measures 

Deploy advanced email security solutions with phishing detection and blocking capabilities. Here are a few that come to mind: Slender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Authentication, Reporting, and Conformance (DMARC) protocols to prevent email spoofing and enhance email authenticity. If you’re unfamiliar with these terms, speak to your consultant about them. 

4. Incident response plan 

Develop and regularly test an incident response plan to ensure a swift and coordinated response in the event of a cyberattack. Assign specific roles and responsibilities to designated personnel and rehearse various attack scenarios. Be sure to have a robust Disaster Recovery and Business Continuity Plan. Also, establish a Crisis Command Structure. 

Learn about our Disaster Recovery and Business Continuity Plan. 

 5. Vendor risk management 

Review and assess the cybersecurity practices of all third-party vendors that provide financial services and products. Verify that vendors use sound risk management principles, have robust security measures, and regularly review their security posture. 

6. Network segmentation and DDoS protection 

Implement network segmentation to contain the impact of a potential compromise. Deploy DDoS protection measures, such as traffic filtering and rate limiting, to defend against DDoS attacks. Speak to your consultant about how best to implement this process. 

7. Regular data backups and recovery testing 

Maintain frequent data backups and test the data recovery process regularly. In a ransomware attack, backups can prevent data loss and reduce the need to pay the ransom. 

8. Threat intelligence sharing 

Participate in threat intelligence-sharing communities to stay informed about emerging threats and attack trends. Sharing information can help strengthen the industry’s collective defense. 

9. Continuous monitoring and security updates 

Monitor network traffic, logs, and systems continuously to detect and respond promptly to suspicious activities. Stay informed about the latest security updates and apply patches promptly. 

Proactive cybersecurity measures safeguard systems and data integrity and confidentiality. Consider adopting these mitigation steps and best practices, as they can enhance your security posture and protect against cyberattacks.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Data Breach – An Unprepared Company

QUESTION 

We were just hit with a data breach and were completely unprepared for it. Hackers took personal information from our corporate server. We believe that customer information was stolen. The hacker also went after our website, meaning information there may be exposed. 

Our Business Continuity policy is all of two pages. We put it together by pasting it from a few Google searches. You may think we are a small mortgage lender, but we have branches in eight states and originate a large volume of mortgage loans. 

We have already alerted law enforcement. We are working on a quick plan to notify investors and customers. But we have no process to follow for this data breach. We're working without a guide. 

All of us in management know you have written a lot about issues like ours. Please help as soon as possible. 

What should we do immediately if we are hacked? 

ANSWER 

NOTE: This article provides links to subject articles, presentations, and a complimentary Data Breach: Quick Reference Checklist. 

As many of you know, I am like a Mother Hen regarding our clients, always looking to protect them. And through these weekly newsletters, I try to ensure our readers are made aware of regulatory compliance challenges. However, some readers ignore my advice, one of which is the importance of having a policy for Business Continuity. 

Our Business Continuity plan is comprehensive. We believe it meets regulatory scrutiny; however, I don't care if you want ours or another firm's policy. Assuming the policy is reliable, get it and implement it! If you are not operating with a plan, your company is unprepared for a data breach. Also consider our mini-audit, BCP Tune-up, which provides a review of your Business Continuity plan and procedures.

For information about our Business Continuity Plan, click HERE.

For information about our BCP Tune-up, click HERE.

Here are just some articles I have published on Business Continuity: 

·       Disaster Recovery and Business Continuity

·       Cybersecurity Rule – Proposed Updates

·       Ransomware Payments

·       Prohibited Acts and Practices

·       Large Bank Cybersecurity Challenges

·       UDAAP Violations caused by Insufficient Data Protection

·       Mother of All Computer Bugs

·       Phishing Scams

·       Intrusion Detection Terms 

As Falstaff said, "Better three hours too soon than a minute too late." 

Don't delay. Procrastinate at your peril! 

Let's turn to the situation you find yourself in, to wit, a data breach and no plan for Business Continuity, which should include a Disaster Recovery component. 

If your company experiences a data breach, you should notify law enforcement, other affected businesses, and individuals. Since I do not know your company's size, complexity, or risk profile, my remarks are necessarily generic. 

However, I will provide a bulleted outline so you can act promptly. 

Request the complimentary Data Breach: Quick Reference Checklist. 

Evidence

·       Do not destroy evidence.

·       Don't destroy any forensic evidence in the course of your investigation and remediation.

·       Document your investigation. 

Immediate Response

·       Secure physical areas potentially related to the breach. Lock them and change access codes.

·       Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.

·       Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and complexity of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.

·       Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

·       Consult with legal counsel. You may consider hiring counsel with privacy and data security expertise. They can advise you on federal and state laws that a breach may implicate. 

Stop Data Loss

·       Take all affected equipment offline immediately — but don't turn any machines off until the forensic experts arrive.

·       Closely monitor all entry and exit points, especially those involved in the breach.

·       If possible, put clean machines online in place of affected ones.

·       Update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you've removed the hacker's tools. 

Remove Web Vulnerability

·       Your website – If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or "cache," information for some time. You can contact the search engines to ensure that they don't archive personal information posted in error.

·       Other websites – Search for your company's exposed data to ensure no other websites have saved a copy. If you find any, contact those sites and ask them to remove it. This applies to websites operated by your company's loan officers and agents. 

Interviews

·       People who discovered the breach should be interviewed.

·       Talk with anyone else who may know about it. 

·       If you have a customer service center, ensure the staff knows where to forward information that may aid your investigation of the breach. 

Service Providers

·       If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges.

·       Ensure your service providers take the necessary steps to ensure another breach does not occur.

·       If your service providers say they have remedied vulnerabilities, verify that they fixed things.

Cybersecurity Rule – Proposed Updates

QUESTION

Our Cybersecurity Policy is a good one. I know this because we have had an examination, and the regulator approved it. 

Although we are a mid-west company, I notice that New York requires an update to its cybersecurity rule. That makes me nervous since New York’s cybersecurity requirements influence many states. 

I want to update our Cybersecurity Policy to reflect New York’s requirements. Sooner or later (probably sooner), our state is going to adopt the same requirements. 

What are the new Cybersecurity Policy requirements in New York? 

ANSWER

New York’s Department of Financial Services (DFS) has been quite active in requiring its licensees to comply with its Cybersecurity Rule (“Rule”). Effective March 1, 2017, the DFS promulgated a regulation[i] implementing the Rule. 

I published a White Paper about the Rule in advance of its effective compliance date, entitled 

Cybersecurity Guidelines – "First-in-the-Nation" Regulation. 

You’re welcome to download it HERE. 

From its inception, the DFS requires individuals and entities to comply with the Rule. These are called “Covered Entities.” A Covered Entities include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law, the insurance law, or the financial services law. 

I agree that the DFS influences other state banking departments vis-à-vis cybersecurity regulations. Now, the DFS is proposing to update the Rule.[ii] So, it’s a good time to anticipate policy and procedure revisions. Even if the proposed Amendments (“Amendments”) are not adopted in full or at all, given the rapidly evolving cyber threat landscape and, in particular, the growing prevalence of ransomware incidents, many aspects of the Amendments reflect Best Practices. 

Some of the proposed changes are rather significant. For instance, the updated Rule will have such requirements as a mandatory 24-hour notification for cyber ransom payments, heightened cyber expertise requirements for board members, and new access restrictions to privileged accounts. 

I will provide a brief summary of the proposed updates. Covered entities should monitor whether the DFS formally proposes amendments to ensure they are equipped technically, organizationally, and financially to meet the heightened governance, technical, and notification obligations. 

Notification Obligations 

The Amendments will create new requirements to notify the DFS of certain incidents. Specifically, there will be a requirement to notify the DFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a material part of the covered entity’s information systems. 

Furthermore, covered entities will be required to notify the DFS within 24 hours of a covered financial institution making a ransomware payment connected to a cybersecurity event; additionally, there will be a requirement to provide the DFS within 30 days with an explanation of (a) why the payment was necessary, (b) whether alternatives were considered, and (c) what sanctions diligence was conducted. 

Risk Assessments 

There are risk assessment requirements under the current Cybersecurity Rule. Under the Rule, a covered entity must conduct a periodic risk assessment of its information systems “sufficient to inform the design of” its cybersecurity program required by the Rule and must update the risk assessment to address various changes, developments, and threats. The Amendments will expand upon the Rule’s definition of a “Risk Assessment” and more clearly articulate that an assessment must “take into account the specific circumstances of the covered entity.” And the Amendments also would clarify that a covered entity’s risk assessment must be updated at least annually or whenever a change in business or technology “causes a material change to the covered entity’s cyber risk.” 

Heightened Monitoring 

The Amendments will add several new monitoring requirements to the Rule, including:

 

·     Completion of an asset inventory that tracks information (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time requirements) for each technology asset (e.g., hardware, operating systems, applications, infrastructure devices, APIs, and cloud services), and requirements for updating and validating the asset inventory;

 

·     Heightened access controls for privileged accounts, such as limiting access to a need-to-know basis, implementing multifactor authentication, and securely configuring or disabling protocols that permit remote control of devices;

 

·     Regular phishing training and exercises for all personnel; and

 

·     Monitoring and filtering of emails to block malicious content.

Governance 

Governance will be updated in the Amendments to include new obligations, including:

 

·     CISO independence and authority to ensure that cyber risks are appropriately managed;

 

·     Additional CISO reporting obligations to the board of directors  include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events (which are not defined);

 

·     Expertise and knowledge thresholds for board members (or requirements that persons with such expertise and knowledge advise them) such that they can exercise effective oversight of cyber risk;

 

·     Cybersecurity policy approval by the board (i.e., not senior management);

 

·     Annual certification of compliance with the Cybersecurity Rule by CEO and CISO, as differentiated from a senior officer;

 

·     Required business continuity and disaster recovery (“BCDR”) plans, which would be necessary to include certain prescribed content, such as identification of essential data, personnel, and infrastructure, a communications plan in the event of a disruption, and procedures for the maintenance of backup infrastructure;

 

·     Periodic testing of incident response and BCDR plans, and ability to restore systems from backups, including to address ransomware incidents and the ability to recover from backups; and

 

·     Annual review by CISO of the feasibility of encryption and effectiveness of the compensating controls, as well as a requirement to implement a written policy requiring industry-standard encryption to protect nonpublic information held at rest or transmitted over external networks by the covered entity. 

Larger (Class A) Companies 

The Amendments will impose additional cybersecurity obligations on a new category of covered entities, so-called “Class A Companies.” Under the Amendments, a “Class A Company” would be a covered entity with: (1) over 2,000 employees; or (2) over $1 billion in gross annual revenues averaged over the last three years from all of its business operations and those of its affiliates.  

These Class A Companies would be subject to additional cybersecurity obligations, including: 

·     Annual independent audits of the company’s cybersecurity program; 

·     Weekly vulnerability assessments will be conducted, including systematic vulnerability scans and reviews of information systems, and documentation and reporting to the board and senior management of material gaps identified by these assessments; 

·     Password controls, including a “vaulting solution” for privileged accounts and an automated method for blocking commonly used passwords; 

·     Monitor anomalous activity by way of endpoint detection and response solution, with a centralized solution for logging and security event alerting; and 

·     Risk assessments by external experts at least once every three years. 

Even if a covered entity is not a large company, smaller companies should consider implementing at least some of the Class A obligations.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 23 NYCRR Part 500

[ii] Announced by the DFS on July 29, 2022

Russian Sanctions: Filing the Suspicious Activity Report

QUESTION

We have just gotten our first potential SAR filing obligation triggered by the Russian sanctions. We contacted other financial institutions in our area, and they are starting to get a few transactions affected by these sanctions. 

Our legal team says we should be filing the SAR, but they have no idea what information should be filed specific to the Russian sanctions themselves. 

We’re also not sure of the Red Flags to use in connection with the sanctions. We implement a risk-based, customer due-diligence program, especially since we began accepting cryptocurrency transactions late last year. 

We are desperate for guidance since the SAR has to be filed immediately. 

What types of Red Flags should we be alert to for the Russian sanctions? 

About the cryptocurrency transactions, how do we monitor them for SAR filing? 

And, how do we complete the SAR to ensure it gets recognized as a SAR involving a Russian sanction? 

ANSWER

Given the critical impasse you are at and the immediate demand for BSA compliance caused by the horrific war in Ukraine, we have moved your inquiry to the top of the FAQ list. I will provide a response that should help you procedurally. The Financial Crimes Enforcement Network (FinCEN) closely monitors SARs filed in response to the sanctions relating to Russia and Belarus (and other affiliated persons). 

If you are unsure of the filing requirements and need information, I suggest that you contact FinCEN’s Regulatory Support Section at frc@fincen.gov. If you need to expedite the filing, you should call FinCEN’s toll-free hotline at (866) 556-3974 (continuously monitored). Keep in mind that you should immediately report any imminent threat to law enforcement officials in your region. 

It is helpful that you contacted and shared your concerns with financial institutions in your area. Information sharing among financial institutions is critical to identifying, reporting, and preventing evolving sanctions evasion, ransomware and cyber attacks, and laundering of the proceeds of corruption. 

Financial institutions and associations of financial institutions sharing information under the safe harbor authorized by section 314(b) of the USA Patriot Act may share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist financing or money laundering.[i] Indeed, FinCEN strongly encourages such voluntary information sharing. 

The financial institutions affected by the Russian sanctions include:

·       Casinos;

·       Depository Institutions;

·       Insurance Industry;

·       Money Services Businesses;

·       Mortgage Companies and Brokers;

·       Precious Metals and Jewelry Industry;

·       Securities and Futures. 

A financial institution is required to file a SAR if it - 

(A) knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves funds derived from illegal activity, or attempts to disguise funds derived from illegal activity;

(B) is designed to evade regulations promulgated under the BSA;

(C) lacks a business or apparent lawful purpose; or

(D) involves the use of the financial institution to facilitate criminal activity, including sanctions evasion.[ii] 

Furthermore, all statutorily defined financial institutions may voluntarily report suspicious transactions under the existing suspicious activity reporting Safe Harbor.[iii] 

Filing the SAR does not in itself mean that somebody is guilty of money laundering. Nevertheless, it is imperative to be attentive to efforts to evade the expansive sanctions and other U.S.-imposed restrictions implemented in connection with the Russian Federation’s invasion of Ukraine. 

In the last two months, Lenders Compliance Group has experienced a substantial increase in engagements for Anti-Money Laundering Program Tests (statutorily required), Anti-Money Laundering Program Risk Assessments, and Anti-Money Laundering Program Training (statutorily required). You must retain a recognized compliance firm whose audits, reports, and training meet a high level of regulatory scrutiny to ensure you have appropriate protection and remain in full compliance with FinCEN guidelines. 

Please get in touch with us HERE, and we’ll do our best to get your AML compliance needs into our schedule as soon as possible. 

In a recent FinCEN alert,[iv] FIN-2022-Alert001,” (sic) a set of select Red Flags were provided to identify potential sanctions evasion activity; however, the list is not meant to be exhaustive. The issuance also provides the obligations with respect to cryptocurrency, generically referred to as “convertible virtual currency” (CVC). 

Evading sanctions is nothing new for crooks. However, due to the Russian and Belarusian actions, sanctioned Russian and Belarusian actors may seek to evade sanctions through various means, such as by moving transactions through non-sanctioned Russian and Belarusian financial institutions and financial institutions in third countries. Red Flags should be taken as one of the tools to identify such transactions, but you will also need to add to the list as incidents require. 

Activities involving the evasion of sanctions are often conducted by various actors, including CVC exchangers and administrators within or outside Russia, given that these entities may retain at least some access to the international financial system. The money laundering pipeline consists of all manner of individuals, such as corrupt senior foreign political figures, their families, and their associates (viz., foreign “politically exposed persons” or PEPs),[v] or associated entities and financial facilitators, to evade U.S. sanctions or otherwise hide their assets.

Mother of All Computer Bugs

QUESTION
I hate to be the bearer of bad tidings right before Christmas, but I would like you to put my question on top of the others since this concerns a worst-case scenario of cybersecurity and ransomware. I am with a large regional mortgage lender, and I am the company’s CISO. 

On December  20^th, The Washington Post reported that a new bug was discovered called “log4j.” It was found on December 9^th. This is like the mother of all computer bugs! 

The article says that cloud storage companies such as Google, Amazon, and Microsoft – companies that provide the digital backbone for millions of other apps – are affected. Giant software sellers are affected, too, such as IBM, Oracle, and Salesforce. And, devices that connect to the Internet (i.e., TVs and security cameras) have been hit. Hackers can get into digital spaces and steal information or plant malicious software. This bug is virtually everywhere and affects billions of computers. 

We anticipate that ransomware attackers will now have a new way to break into computer networks and freeze out their owners. I really think you should put back up the links to your Ransomware policies and checklists. 

Banks or mortgage companies, big and small, accepting cryptocurrencies are also affected because they will be targeted and asked to send millions in cryptocurrency to hackers or risk being locked out of their computers indefinitely and exposing their sensitive information. 

My question is, Would you provide your readership with information from the government agency that monitors and advises the public about this threat?

ANSWER
Thank you for your timely question. Given the urgency, I have prioritized it for a response. I am grateful that you have contacted us to assist in making our readership aware of this immense computer threat. 

The computer bug, “log4j,” allows hackers to access deep into systems, cutting past all the typical defenses software companies use to block attacks. 

The article you cite is "The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know." It was published in The Washington Post on December 20th.  

The article quotes Jen Easterly, the Director of U.S. Cybersecurity and Infrastructure Security Agency, saying, “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” You can watch Director Easterly’s interview HERE. 

According to the article, “The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.” 

Because you are the Chief Information Security Officer (CISO), the remit of your undertaking is to implement the information security program, which includes the requirements to protect system assets from internal and external threats. 

The CISO has a direct responsibility to maintain the company’s security posture, which is a different task than required of the Chief Information Officer (CIO), a position that involves oversight and managing the overall systems. The CISO and CIO work together. The former is engaged in the hands-on, precise application of cybersecurity initiatives. The latter maintains the overall system comprehensiveness and usually reports to top management and the board of directors. 

As of today’s date, the bug is careening through millions of computers and degrading millions of enterprise systems and Cloud services. You mentioned the threat of ransomware attacks. Indeed, I have written extensively about them as well as cybersecurity. You can read some of my posts, such as:

• Ransomware Payments;
• Large Bank Cybersecurity Challenges;
• Phishing Scams; and
• Intrusion Detection Terms.

I have published articles and White Papers on cybersecurity guidelines, one of which concerns the cybersecurity guidelines promulgated by the New York Department of Financial Services (DFS). The regulation took effect on March 1, 2017, continuously updated. The DFS has provided a model for cybersecurity guidelines in many state banking departments. For an overview, I suggest you download my article Cybersecurity Guidelines - "First-In-The-Nation" Regulation. Consider implementing similar requirements.

We provide a free Ransomware checklist. We also offer an exceptional and reasonably priced policies and procedures for Ransomware as well as Cybersecurity For more information, visit our website. 

Short of letting the engineers figure out how to stop the bug, people can take several precautions, such as avoiding phishing emails that trick you into clicking a link or opening an attachment. This new bug vulnerability means that computers will be hit with many such messages as hackers plant malicious code before the computer gets a corrective patch. Also, be sure that the computer’s operating system and apps are updated. 

The government agency monitoring the log4j bug is the Cybersecurity and Infrastructure Security Agency (CISA). CISA as published Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability. 

The agency has a continuously updated and highly technical log4j webpage. However, the webpage does provide an Additional Resources section which provides helpful guidance, such as CISA’s Cyber Essentials. 

I suggest that senior management review Questions Every CEO Should Ask About Cyber Risks.

Also, I recommend FFIEC's Information Security Booklet, in the Information Technology Examination Handbook. Amongst the many tools provided by FFIEC, the Cybersecurity Assessment Tool helps to identify cyber-risks and determine cybersecurity preparedness.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director
Lenders Compliance Group

Ransomware Payments

QUESTION
We are a large mortgage lender in the northeast. I am the Chief Compliance Officer. We have multiple platforms, licensed in all states, and maintain an extensive servicing unit. 

Jonathan, thank you for the weekly posts. And we are grateful that you provided the ransomware checklist. Most companies would make us pay for this kind of checklist, but you offered it for free. That is real commitment! And it has helped us to configure our ransomware security. 

Recently, we learned that another large lender was hit with a ransomware attack. The attacker wants to be paid in cryptocurrency. Admittedly, we are unprepared to respond to such a demand if it happens to us. Frankly, I don’t know how cryptocurrency even works in ransomware attacks. So, we are coming to you to get an understanding. 

What role does cryptocurrency play in ransomware attacks? 

ANSWER
First and foremost, thank you for subscribing. Our posts are a labor of love as an expression of our commitment to the mortgage community. HERE’s a list of some recent FAQs. 

I also appreciate that you are using our ransomware checklist. It covers preparation, response, and recovery. If anyone wants it, please click HERE. It’s free. 

I supposed we could be paid for some of the tools we provide, but our mission is to serve and share. It is certainly possible to grow a compliance firm without having to charge for every single thing we do. We are the living proof of that philosophy! 

Lenders Compliance Group has been thriving and growing since 2006. It is strong and continuing to scale because we are focused on our clients’ compliance experience. Our goal is to help a company to build and maintain a Culture of Compliance®, a term we have pioneered for many years. 

Our team consists of some of the top professionals in mortgage compliance. Believe me, it makes a difference! 

Ransomware is an escalating concern with federal and state regulators. If you are not ready for a ransomware examination, be advised, it’s on the way. Financial institutions play a critical role in the collection of ransom payments. In effect, an institution becomes a facilitator of ransomware payments, whether handling its own response to a ransomware attack or acting as a financial intermediary. 

The severity and sophistication of ransomware attacks continue to rise[i] across various sectors, particularly governmental entities and financial, educational, and healthcare institutions.[ii] Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to the victims’ weaker cybersecurity controls, such as inadequate system backups and ineffective incident response capabilities.[iii] 

So, let’s take a closer look at ransomware payments, especially as these relate to cryptocurrency. 

Most ransomware schemes involve convertible virtual currency (CVC), which is the preferred payment method of ransomware perpetrators. You might as well get used to this terminology. CVC is inherent in ransomware payments. The payment process is a bit complicated, so stay with me as I discuss it. 

Let me outline a typical ransomware payment flow using CVC. After the delivery of the ransom demand occurs, a ransomware victim will usually transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a “wallet” hosted at the exchange,[iv] to the perpetrator’s designated account or CVC address. 

Then, the perpetrator launders the funds through various means – including mixers,” “tumblers,”[v] and “chain hopping”[vi] – to convert funds into other CVCs. These transactions are often structured into smaller “smurfing”[vii] transactions involving multiple persons and across many different CVC addresses, accounts, and exchanges, including peer-to-peer (P2P)[viii] and “nested” exchanges. Criminals prefer to launder their ransomware proceeds in jurisdictions with weak anti-money laundering (AML) and countering the financing of terrorism controls. 

That’s a brief but serviceable outline of the payment process in a nutshell. 

But your company should ensure that it has a ransomware policy that covers the payment concerns and the many derivative repercussions. These other aspects and nuances are where your responsibilities as a compliance manager should also be focused. 

For instance, cyber insurance companies (CICs) and digital forensic and incident response (DFIR) companies play a role in ransomware transactions. CICs issue policies designed to mitigate an entity’s losses from various cyber incidents, such as data breaches, business interruption, and network damage. CICs may reimburse policyholders for particular remediation services, including the use of DFIRs if needed. Indeed, as part of incident remediation, some financial institutions have hired a DFIR company to negotiate with the cybercriminal, facilitate payment to the cybercriminal, and investigate the source of the cybersecurity breach. 

Some DFIR companies and CICs facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Thus, depending on the particular facts and circumstances, this activity could constitute money transmission. 

Of course, FinCEN does not hesitate to take action against entities and individuals engaged in money transmission if they fail to register with FinCEN or comply with their other AML obligations. 

Financial institutions involved in ransomware payments should be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.[ix] On September 21, 2021, OFAC issued an updated advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities.[x] Additionally, in October 2021, OFAC issued sanctions for compliance guidance involving the virtual currency industry. That issuance provides an overview of critical items such as reporting instructions, consequences of non-compliance, and compliance best practices.[xi] 

To conclude, cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site, exploit remote desktop protocol endpoints and software vulnerabilities, or deploy “drive-by” malware attacks that host malicious code on legitimate websites. Proactive prevention through effective “cyber hygiene,” cybersecurity controls, and business continuity resiliency is

often the best defense against ransomware.[xii] 

If you want information about our ransomware checklist and policy or other compliance resources, please click HERE. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

______________________________   
[i] The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 20% more reports of ransomware incidents in 2020 than in 2019, with a 225% increase in ransom demands, totaling $29 million in 2020 up from $9 million in 2019. See FBI IC3, 2020 Internet Crime Report, (2020). In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase, compared to 2020’s total of $416 million. See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021).
[ii] See FinCEN Advisory, FIN-2019-A005, “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic,” (July 30, 2020).
[iii] See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021). Also see generally DHS Cybersecurity & Infrastructure Security Agency (CISA), Ransomware Guide, (September 2020).
[iv] “Hosted wallets” are CVC wallets where the CVC exchange receives, stores, and transmits the CVCs on behalf of their accountholders. See FinCEN Guidance, FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019).
[v] Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and the addresses receiving CVC. For more information, see FinCEN 2021 Ransomware Report, at 13 (October 15, 2021).
[vi] Chain hopping is a “cross-virtual-asset” layering technique for users attempting to conceal criminal behavior. Criminals obfuscate the trail of virtual currency by shifting the trail of transactions from the blockchain of one virtual currency to the blockchain of another virtual currency, often in rapid succession. See DOJ Cryptocurrency Enforcement Framework, at 41-44.
[vii] Smurfing refers to a layering technique in money laundering that involves breaking total amounts of funds into smaller amounts to move through multiple accounts before arriving at the ultimate beneficiary.
[viii] P2P exchangers are individuals or entities offering to exchange fiat currencies for virtual currencies or one virtual currency for another virtual currency. P2P exchangers usually operate informally, typically advertising and marketing their services through online classified advertisements or fora, social media, and by word of mouth. See FinCEN Advisory, FIN-2019-A003, “Advisory on Illicit Activity Involving Convertible Virtual Currency,” (May 9, 2019).
[ix] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021); FinCEN Ransomware Report 2021, at 13 (October 15, 2021); and White House, FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware, (October 13, 2021).
[x] See OFAC, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” (September 21, 2021).
[xi] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021).
[xii] See FBI and DHS CISA, “Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends,” (August 31, 2021).