The Canadian Investment Regulatory Organization (CIRO) has published a new guide for its dealer member firms, entitled Ransomware Response Playbook. Based on two cyber security table-top exercises conducted in 2023, the guide outlines the high-level steps that firms need to take to mount an effective response to a ransomware attack.
The guide builds on an earlier educational bulletin published in March 2021 which similarly outlines what firms and employees should do to recover from a ransomware attack but goes into greater detail about the players, how they interact and the activities each should undertake in response to an attack.
Created realistic scenarios to model
The new playbook was created following exercises that CIRO conducted with investment dealer and mutual fund dealer firms, supported by Juno Risk Solutions Inc., which authored the playbook. A working group of information technology (IT) security experts from small and medium-sized CIRO member firms helped create realistic scenarios to model and representatives from four Canadian law firms were available to provide advice on the legal implications of decisions made during the exercises. CIRO says almost 200 people from 128 firms participated in the exercise.
“The exercises were focused on small and medium-sized member firms because they don’t typically have the resources of larger member firms to manage cyber risks,” CIRO states in its member bulletin about the playbook’s release. Representatives from Axis Capital, Marsh Canada and Travelers Canada also provided expertise on insurance considerations while facilitating many of the group’s discussions.
Phishing attacks
Ransomware is typically installed on devices or networks through phishing attacks, incidents where individuals click on compromised websites, by threat actors using stolen credentials (available on the dark web) and through brute-force entry into vulnerable web networks and servers.
“This document is to guide response to a ransomware attack that can have a material impact on the continuity of business operations. It outlines the actions required to ensure that these incidents are addressed in a coordinated and repeatable manner,” Juno Risk Solutions writes. “Procedures should be tested and reviewed periodically via scenario-based exercises.”
Business recovery
The playbook discusses the stages of a ransomware attack, related and interrelated risks, corresponding industry-standard protections, the teams, leaders and roles required to respond to an attack, business impact assessment practices, options and ransom demand analysis, business recovery and post-incident actions and analysis.
The advice also includes a discussion about when and how to involve legal, saying legal privilege allows an organization to communicate freely with its lawyers about cyber incidents to obtain candid advice. It also allows lawyers time to take the steps needed to defend the organization in litigation should the need arise. “Managing incident response through the general counsel under the cloak of legal privilege is a critical step to protect the organization in the event of legal action,” the guide states.