With ransomware becoming an increasingly persistent threat for financial firms, the Canadian Investment Regulatory Organization (CIRO) has issued a crisis response playbook for securities dealers.

In 2023 the self-regulatory organization (SRO) carried out a couple of cybersecurity exercises for small and mid-sized firms to share information and help bolster their resilience to cyberattacks, given that smaller firms typically don’t have the same kinds of resources as larger firms to guard against, and deal with, these kinds of threats.

Want more immediate, memorable insights? Listen to this Soundbites episode, featuring Jyotsana Wadera of Putnam Investments.

In the wake of those efforts, the SRO has published a report that sketches out a framework for dealing with ransomware attacks, “which continue to be prevalent and are growing in volume and sophistication, [and] have resulted in significant financial losses and caused considerable reputational damage to a number of companies.”

When a firm is hit with a ransomware attack, the report recommends that dealers’ business continuity and incident response teams provide an analysis of the financial, operational and reputational impacts of the event, in both the short and long term, which arms the firm’s executive team to make sound decisions to cope with the attack.

“This framework enables the executive team to consider the range of impacts to the business and thus make an informed business decision whether to pay the ransom or not,” it said.

The decision about whether to pay off an attacker requires executive teams to consider a range of factors, it said, from assessing the likely financial impact of the incident, including whether it’s cheaper to pay the ransom than cope with the effects of the breach; to evaluating the operational impact. Regulatory considerations, such as whether paying a ransom enables the firm to best meet its duty to protect clients’ confidential information, are also a factor.

There are also reputational factors to consider, including the impact of an ongoing operational disruption on a firm’s reputation, the fallout from the fact that a firm’s data was compromised, and the reputational repercussions of paying a ransom.

“Reaching a decision to pay a ransom to a criminal actor is challenging,” the report said. “It raises emotional issues regarding the possibility of paying a ransom that ultimately rewards criminals. However, a ransomware attack presents a range of business risks to an organization, all of which need to be considered when deciding on how to respond to a ransom demand.”