Test

Ransomware needs to be on your radar. Here’s why. Ransomware review Ransomware is a cyberattack where cybercriminals take over an organization’s computer network with malware. Once they assume control, the criminals demand a ransom to restore the victim’s encrypted data access. With an estimated generation of $412 million in 2020 alone1, the frequency  of these attacks is growing. At Experian, we handle many data breach cases and know that 7 of 10 breaches involve ransomware. This summer, NetDiligence dedicated a panel at its Cyber Risk Summit on the Lifecycle of a Ransomware Event and invited us to talk about our solutions to help business leaders prepare to minimize interruptions spurred by ransomware. The lifecycle of a ransomware attack includes five stages: 1. Attack Bad actors attack to discover assets, take data, extort it for direct payment, or profit from reselling data on the dark web. They can also launch a ‘double-take’ attack: first collecting ransom to access data and demanding secondary payment to keep it off the dark web. Hackers prey on company networks, searching for vulnerabilities and accessing encrypted files through phishing or planting malicious links to infect the network with malware. More than double the global rate of 14%2, U.S ransomware attacks have become more aggressive, accounting for 30% of all cyberattacks in 20202. At Experian, we’ve seen an even higher occurrence, with 59% of the events serviced 2021 to date involving ransomware. 2. Discovery Once attackers infiltrate a system, they demand a ransom for the decryption key to unlock the encrypted files. Companies usually discover the attack through a ransom note emailed to an executive, a file left on a server, or even a flashing warning on all connected computers. If they leave a message including their contact information, ransom sum, payment delivery time, and consequences for unmet conditions, such as tipping off the media, releasing stolen data, or selling it on the dark web. Next, companies will contact their cyber insurance carrier to log stolen information, get systems back online, navigate legal issues, and facilitate hacker negotiations. Since only about one-third of companies have cyber insurance, most will rush to hire cybersecurity counsel post-attack3, amounting to more stress and delays since it can take months for large companies or those without backups to determine the extent of the damage. At Experian, almost all events involving ransomware take about 20% more time to begin breach notification. Whether there is an incident plan in place or not, companies experience immense panic. 3. Negotiation Typically, a company will hire a professional, either directly or through their cyber insurance, to negotiate with hackers. While hackers expect price haggling, the ransom price could still be hefty. According to the cybersecurity firm, Coveware, the average ransom was $154,000 in Q4 2020, down from $230,000 the year before4. But hackers can drive up the price. Prime example: JBS, the world’s largest meat processor, paid an $11 million ransom in June 2021 to prevent customer data from being compromised. In a perfect world, the ransomware negotiation process goes this way: Establish communication with the attackers Obtain proof of decryption Obtain data exfiltration proof Negotiate a (huge) discount Celebrate Unfortunately, negotiations can be tricky, and the process rarely goes this way. Sometimes attackers go “dark” or request additional payments. Additionally, decryption tools may have bugs that skip mapped network drives or skip folders with long paths and unusual characters. An investigation is key to determine how hackers got in, what was exposed, and if they still have access—knowing exactly how and what was compromised will help in the negotiation. 4. Settlement After the ransom negotiations are over, companies must carefully consider the strategy behind the decision to pay or not to pay the ransom. The FBI generally discourages ransom payments because they may entice other criminals to engage in ransomware and paying does not guarantee data recovery. Additionally, the Office of Foreign Asset Control (OFAC) has payment bans and restrictions that support national security that must be upheld or face fines. At this stage, companies need to ensure that the ransom settlement does not violate constantly evolving regulations. If companies settle, the payment will typically be delivered via cryptocurrency like Bitcoin since it is harder to detect the payees. The hackers will mix the bitcoin for others diluting the currency flow and making it difficult to trace. 5. Post-Event For many companies, the settlement is just the beginning of ransomware attack costs. Companies will also have to pay to restore back-ups, rebuild systems and implement stronger cybersecurity controls to avoid future attacks. As discussed at the Cyber Risk Summit, here are five recommendations for companies to enforce tighter cyber control: Advanced Endpoint Monitoring System Restrict Remote Desktop Protocol (RDP) Regularly Update Software and Operating Systems Implement Password Management Policies Establish and Update Incident Response Plan and Ransomware Playbook Ransomware is just getting started. To minimize the impact of an attack, companies create a proactive preparedness plan. Determining to protect and scan for threats, establish negotiation and payment rules, and external breach communications, is critical. Breaches are our business at Experian. We know ransomware breaches have more complex FAQs, letter versions, and increased call center escalations. To learn how Experian’s Reserved Response solution can prepare your business for a data breach, click here. Sources:  1 Washington Post, “How Ransomware Attacks Work”, July 2021 2 Verizon 2021 Data Breach Investigations Report 3 Washington Post, “Ransomware Axa Insurance Attacks”, June 2021 4 Covewave, “Ransomware Marketplace Report”, Q4 2020

Lately, I’ve been surprised by the emphasis that some fraud prevention practitioners still place on manual fraud reviews and treatment. With the market’s intense focus on real-time decisions and customer experience, it seems that fraud processing isn’t always keeping up with the trends. I’ve been involved in several lively discussions on this topic. On one side of the argument sit the analytical experts who are incredibly good at distilling mountains of detailed information into the most accurate fraud risk prediction possible. Their work is intended to relieve users from the burden of scrutinizing all of that data. On the other side of the argument sits the human side of the debate. Their position is that only a human being is able to balance the complexity of judging risk with the sensitivity of handling a potential customer. All of this has led me to consider the pros and cons of manual fraud reviews. The Pros of Manual Review When we consider the requirements for review, it certainly seems that there could be a strong case for using a manual process rather than artificial intelligence. Human beings can bring knowledge and experience that is outside of the data that an analytical decision can see. Knowing what type of product or service the customer is asking for and whether or not it’s attractive to criminals leaps to mind. Or perhaps the customer is part of a small community where they’re known to the institution through other types of relationships—like a credit union with a community- or employer-based field of membership. In cases like these, there are valuable insights that come from the reviewer’s knowledge of the world outside of the data that’s available for analytics. The Cons of Manual Review When we look at the cons of manual fraud review, there’s a lot to consider. First, the costs can be high. This goes beyond the dollars paid to people who handle the review to the good customers that are lost because of delays and friction that occurs as part of the review process. In a past webinar, we asked approximately 150 practitioners how often an application flagged for identity discrepancies resulted in that application being abandoned. Half of the audience indicated that more than 50% of those customers were lost. Another 30% didn’t know what the impact was. Those potentially good customers were lost because the manual review process took too long. Additionally, the results are subjective. Two reviewers with different levels of skill and expertise could look at the same information and choose a different course of action or make a different decision. A single reviewer can be inconsistent, too—especially if they’re expected to meet productivity measures. Finally, manual fraud review doesn’t support policy development. In another webinar earlier this year, a fraud prevention practitioner mentioned that her organization’s past reliance on manual review left them unable to review fraud cases and figure out how the criminals were able to succeed. Her organization simply couldn’t recreate the reviewer’s thought process and find the mistake that lead to a fraud loss. To Review or Not to Review? With compelling arguments on both sides, what is the best practice for manually reviewing cases of fraud risk? Hopefully, the following list will help: DO: Get comfortable with what analytics tell you. Analytics divide events into groups that share a measurable level of fraud risk. Use the analytics to define different tiers of risk and assign each tier to a set of next steps. Start simple, breaking the accounts that need scrutiny into high, medium and low risk groups. Perhaps the high risk group includes one instance of fraud out of every five cases. Have a plan for how these will be handled. You might require additional identity documentation that would be hard for a criminal to falsify or some other action. Another group might include one instance in every 20 cases. A less burdensome treatment can be used here – like a one-time-passcode (OTP) sent to a confirmed mobile number. Any cases that remain unverified might then be asked for the same verification you used on the high-risk group. DON’T: Rely on a single analytical score threshold or risk indicator to create one giant pile of work that has to be sorted out manually. This approach usually results in a poor experience for a large number of customers, and a strong possibility that the next steps are not aligned to the level of risk. DO: Reserve manual review for situations where the reviewer can bring some new information or knowledge to the cases they review. DON’T: Use the same underlying data that generated the analytics as the basis of a review. Consider two simplistic cases that use a new address with no past association to the individual. In one case, there are several other people with different surnames that have recently been using the same address. In the other, there are only two, and they share the same surname. In the best possible case, the reviewer recognizes how the other information affects the risk, and they duplicate what the analytics have already done – flagging the first application as suspicious. In other cases, connections will be missed, resulting in a costly mistake. In real situations, automated reviews are able to compare each piece of information to thousands of others, making it more likely that second-guessing the analytics using the same data will be problematic. DO: Focus your most experienced and talented reviewers on creating fraud strategies. The best way to use their time and skill is to create a cycle where risk groups are defined (using analytics), a verification treatment is prescribed and used consistently, and the results are measured. With this approach, the outcome of every case is the result of deliberate action. When fraud occurs, it’s either because the case was miscategorized and received treatment that was too easy to discourage the criminal—or it was categorized correctly and the treatment wasn’t challenging enough. Gaining Value While there is a middle ground where manual review and skill can be a force-multiplier for strong analytics, my sense is that many organizations aren’t getting the best value from their most talented fraud practitioners. To improve this, businesses can start by understanding how analytics can help group customers based on levels of risk—not just one group but a few—where the number of good vs. fraudulent cases are understood. Decide how you want to handle each of those groups and reserve challenging treatments for the riskiest groups while applying easier treatments when the number of good customers per fraud attempt is very high. Set up a consistent waterfall process where customers either successfully verify, cascade to a more challenging treatment, or abandon the process. Focus your manual efforts on monitoring the process you’ve put in place. Start collecting data that shows you how both good and bad cases flow through the process. Know what types of challenges the bad guys are outsmarting so you can route them to challenges that they won’t beat so easily. Most importantly, have a plan and be consistent. Be sure to keep an eye out for a new post where we’ll talk about how this analytical approach can also help you grow your business. Contact us

If it looks like a bank and acts like a bank, there’s a good chance the company behind that financial services transaction may not actually be a bank – but a fintech. Born out of Silicon Valley, New York and tech hubs in between, fintechs have been categorically unfettered from regulation and driven by a focus on customer acquisition and revenue growth. Today, the fintech market represents hundreds of billions of dollars globally and has been disrupting financial services with the goal of delightful customer experiences and democratizing access to credit and banking. Their success has led many fintechs to update their strategy and growth targets and set their sites outside of core banking to other sectors including payments, alternative lending, insurance, capital markets, personal wealth management, alternative lending and others. Depending on the strategy, many are seeking a bank charter, or a partnership with a chartered financial institution to accomplish their new growth goals. Meanwhile, all this disruption has caught the attention of banks and credit unions who are keen to work with these marketplace lenders to grow deposits and increase fee-revenue streams. Historically, obtaining a bank charter was an onerous process, which led many fintechs to actively seek out partnerships with financial institutions in order to leverage their chartered status without the regulatory hurdles of becoming a bank. In fact, fintech and FI partnerships have boomed in the last few years, growing more than five times over the past decade. Gone are the days of the zero-sum game that benefits solely the bank or the fintech. Today, there are more than 30 partner banks representing hundreds of fintech relationships and financial services. These partnerships vary in size and scope from household names like Goldman Sachs, which powers the Apple credit card, to Hatch Bank, which has $68 million in assets and started with a single fintech partner, HM Bradley.[1] But which scenario is right for your fintech? Much of that depends on which markets and lines of business round out your growth strategy and revenue goals. Regardless of what framework you determine is right for your fintech, you need to work with partners who have access to the freshest data and models and a firm handle on the regulatory and compliance landscape. Experian can help you navigate the fintech regulatory environment and think through if partnering with a bank or seeking your own fintech charter is the best match for your growth plan. In the meantime, check out this new eBook for more information on the bank charter process and benefits, fintech-FI partnerships and the implications of the Office of the Comptroller of the Currency (OCC) new fintech charter. Read now Explore Fintech solutions   [1] https://a16z.com/2020/06/11/the-partner-bank-boom/