IIROC Warns That Ransomware Attacks are Increasing

The Investment Industry Regulatory Organization of Canada (IIROC) recently published a notice in response to an increasing number of ransomware attacks against organizations in the first few months of 2021.

This notice is helpful for all organizations as they prepare for and respond to this increase in ransomware attacks.

Ransomware is software designed to lock or encrypt an organization’s system or data. It typically spreads through sophisticated “phishing emails,” which trick users to interact with infected emails. Ransomware can also spread through server or software vulnerabilities without user interaction. “Drive-by downloads” can also infect systems or networks when an individual clicks on a compromised website or malicious advertisement.

Once a system or data is exposed, the ransomware encrypts the system, and requires users to pay a ransom by a specified deadline in exchange for access to the system or data. IIROC warns that even if the organization pays the ransom or demand, the attacker may still publicly expose an organization’s data by selling it on the dark web.

IIROC recommends five control measures for organizations to prevent and detect ransomware attacks:

  1. Firm-level controls, policies and procedures to respond to irregular behavior. Establish a process to quickly investigate a suspected attack to determine the root cause and extent of the attack. Ensure the process considers how much and what types of cybersecurity insurance is needed.
  2. Information backup controls that back up all systems and data, test backups to ensure integrity. Keep backups stored separate from the organization’s production network.
  3. Technology controls to protect devices and networks including multi-factor authentication, web filtering tools, anti-malware/anti-virus capability at key points of your environment. Implement a Security Information and Event Management (SIEM) platform that aggregates event and security data from multiple sources.
  4. Educating employees, contractors and advisers on the importance of remaining vigilant when clicking on links in emails or on the internet. Organizations should also provide employees, contractors, and others with frequent phishing awareness training and tests.
  5. Monitoring for anomalous behavior to detect and mitigate an attack including implementing a Continuous Security Monitoring (CSM) function to automate monitoring of threats, an Endpoint Threat Detection and Response (ETDR) solution to detect malware and assist forensics in the event of an attack and other monitoring tools to detect abnormal deviations or activity.

IIROC also recommends that organizations implement the following four control measures to recover from and respond to a ransomware attack once it happens:

  1. Isolate the infected devices to limit the scope of the attack.
  2. Determine whether you have a salvageable backup and what information is lost.
  3. Investigate the incident to determine the scope and extent of the attack.
  4. Report the incident to the applicable authorities, privacy commissioners, regulators or law enforcement officials.

Another key aspect of responding to a ransomware attack is engaging legal counsel to ensure that the investigation is protected by solicitor-client privilege.

Read our 10 Steps to Prepare Your Organization for a Ransomware Attack blog for more information.

Organizations should incorporate these steps into a customized cybersecurity program and review, test and update the program on an ongoing basis to appropriately reflect the changing threat landscape. Organizations may wish to work with experienced legal counsel and information technology professionals to aid them with any of the foregoing steps. We have assisted many organizations with developing and implementing their programs and can help you respond to ransomware and other cyberattacks and breaches. Please contact our privacy and cybersecurity team for assistance with reviewing your organization’s cybersecurity program.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.