Financial firms that face ransomware attacks shouldn’t pay, U.S. industry trade group the Securities and Financial Markets Association (SIFMA) says.

Following the latest industry-wide cybersecurity exercise, SIFMA published recommendations for dealing with cyber threats — including ransomware attacks that were the focus of the latest biennial event.

The exercise in November involved rehearsing incident response protocols for significant ransomware attacks targeting the financial sector and identifying gaps in the industry’s response plans.

“SIFMA does not recommend paying a ransom,” it said. “Executives need to carefully consider the realities of taking such actions, including the possibility that they still may not recover stolen data.”

Instead, it recommends firms “invest in robust ransomware recovery” and response plans for cyber incidents, including frequent cybersecurity exercises and tests.

At the same time, firms should prepare for the possibility that regulators fall victim to ransomware attacks of their own and establish back-up plans for that scenario, too.

“In the event a regulatory authority is impacted by a ransomware event and goes offline, firms should have processes in place to use alternate communications channels,” it said.

The group also advises firms to follow best practices, such as employing multi-factor authentication, using automated password systems to guard against social engineering, protecting critical infrastructure from public internet exposure, developing identity verification systems to detect “back door” accounts, and proactively hunting for cyber threats.

“A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing,” said Kenneth Bentsen, Jr., president and CEO of SIFMA, in a release.

“No single actor — not the federal government, nor any individual firm — has the resources to protect markets from cyber threats on their own. Firms should also continually exercise their crisis management, incident response and data recovery plans to ensure rapid response and recovery from ransomware or other types of cyber-attacks,” he added.