This post is also available in: heעברית (Hebrew)

The cyber attack against the Israeli insurance company Shirbit launched last week has already brought about the release of large amounts of company data, exposing personal information about customers and employees, as the company refused to pay the ransom demanded by the Black Shadow group.

This ransomware attack raises concerns about the resilience of financial institutions and organizations to cyber attacks.

In a special interview to iHLS, Dr. Nimrod Kozlovski, Head of Technology & Regulation Department, Herzog Fox & Neeman said: “The financial sector has been strictly regulated with regard to cyber risk management, and has been obliged by detailed regulations concerning risk evaluation, controls integration, security measures management, and security procedures. It is also obliged to report cyber incidents.

In the current incident, when Shirbit, subordinated to the regulation by Israel’s Capital Market Authority, Insurance and Savings, realized that it was subject to an information leak and extortion incident, the company operated with the regulator both in reporting the incident and investigating it, and with the National Cyber Directorate, receiving guidance and coordinating the investigation.”

Interested in learning more about coping with cyber threats on financial institutions? Register to the broadcasted conference INNOTECH 2020 on Cyber, HLS, and innovation.

He added: “Such incident puts a wide range of obligations over the attacked company, both in the investigation and the reporting to the authorities, the Capital Market Authority, and – if personal information was leaked – also to the Privacy Protection Authority. A publicly traded company must also report immediately to the Stock Exchange. In addition, following updates in the privacy protection laws, there are obligations to report to the people concerned in the relevant cases.” In addition, Dr. Kozlovski said, “there are usually judicial obligations due to contracts, requiring both the incident investigation and its reporting to third parties with whom the company is involved, including the company’s cyber insurers and reinsurers. The company must conduct a meticulous forensic investigation, and act in order to delimit the incident and minimize the potential damage to the affected parties.”

According to Dr. Kozlovski, “in the current incident there is a unique judicial challenge regarding the ransom payment. The legislation which in the past had been blur regarding the legality of ransom payment, was recently interpreted by the authorities, and the present approach is that paying ransom could be opposed to the law regarding money laundering and terror financing, and might also violate the American sanction legislation which prohibits commerce with various states and entities. So the company is facing the dilemma whether paying ransom as it is might expose it from the legal aspect.”

In response to the question how to assure that in the next incident, financial firms will be more protected, Dr. Kozlovski stated that “the right conduct by Shirbit or similar companies would have been prior preparedness instead of response following an attack. Prior preparations for cyber security management in accordance with regulations and accepted risk management protocols could have prevented the incident. This includes the cryptography of sensitive data, access limitation to sensitive data, ruggedizing identification and authorization systems, and controlling anomalous accessing and information leaks, all these could have prevented the incident from the start.”

The conclusion? “Other companies should better prepare in advance to risk management in order to prevent being exposed to the attackers favors.”

Register to INNOTECH