Our firm takes cybersecurity seriously, but we were still impacted by attacks on our third-party providers.

It never occurred to us that a ransomware attack on a third-party provider would affect our business.

Cybersecurity has been a big priority for our public accounting firm. Like private lenders, we are responsible for protecting the sensitive data of our clients, which includes tax returns, names, addresses, Social Security numbers and even bank information. Our firm has always strived to take every precaution to ensure data security—everything from working closely with IT professionals, installing firewalls and regularly communicating with our staff about staying alert for scams  and other potential attacks.

But, despite these precautions, our firm was impacted via third-party providers. With ransomware attacks on the rise, two of our third-party service providers experienced attacks within 90 days. Both attacks interrupted our business from several days to more than a week. With the increasing reliance on third-party providers and integrated software systems, private lenders and financial institutions alike are at risk of experiencing similar indirect business interruptions.

Two Attacks

Our first indirect ransomware attack was on Wolters Kluwer, a significant provider of accounting tools and resources. The ransomware attack had such a substantial effect on the accounting industry that the IRS offered a seven-day extension period for tax returns due around the May 15 tax filing deadline.

The ransomware attack had a mild impact on our firm’s operations. We were unable to file tax returns electronically.

We’re lucky to have a diligent administration team. Wolters Kluwer had not even announced the attack before our office manager was on the phone with our IT professionals and insurance broker.

Both our IT team and our insurance broker reviewed the situation, put us at ease and assured us we were doing everything right. None of our client data was lost, and cybersecurity experts verified that none of our sensitive data was compromised. Private lenders should read their cyber insurance policies very carefully. We were surprised to learn that if a third-party attack that may affect our systems was not disclosed within five days, then our cyber insurance policy may not cover the attack.

Since the attack had a more substantial impact on other CPA firms, leaving some firms unable to prepare tax returns at all, we began asking ourselves: What would we do if any of our other third-party software providers systems went down?

We thought through every  critical software that our firm uses, how each is integrated and what would happen if we couldn’t access any one of them.

What we didn’t expect was to experience a second ransomware attack on a different provider within a three-month window. Once again, no client data were lost, and cybersecurity experts verified that none of our data was at risk or stolen. Our service provider kept in touch with us and communicated resolution statuses frequently; however, the updates were vague.

This second business interruption affected multiple facets of our daily operations, bringing us to a halt for eight days and leaving us unable to work. Since the attack was on a third-party provider, we were completely helpless to do anything. During the first three days of the attack, we were under the delusion that our systems would be up and operational at any moment. We made our staff come to the office each day, and they worked on their continuing education requirements, tax research and other things we did have access to.

Lessons Learned

We always hear the horror stories of lost data that couldn’t be recovered, at-risk client data and identity theft. More often, these horror stories are becoming shared experiences.

Private lenders can take away some essential lessons from the not-so-dire business interruptions of outside third-party providers. Your ransomware prevention plan will include addressing the technology components of firewalls and network security. Still, be sure to also incorporate into your disaster recovery plan the more subtle elements of communication, lost time and other hassles.

Communication // The business experiencing a ransomware attack will be communicating directly with their cybersecurity experts and even law enforcement.

If your private lending business is not under a direct attack, the communication to you from your third-party provider will be vague. You may not receive clear information as to the measures being taken to restore your data until after your systems are restored. Communication and status updates to you are explicitly crafted to be vague so the attacker will not be privy to the steps being taken to resolve the attack. This will make it difficult for you to communicate effectively with your customers.cyber

Lost time // Plan for the business interruption to last anywhere from several days to a few weeks. Although the cybersecurity experts and IT professionals will be working tirelessly around the clock to restore your systems, more likely, you will not be back up and working the same day or the next.

Will your team be able to close that loan on time? What expectation will you have for your employees to work during the outage? What is the plan to catch up on work after the blackout? Will you need to hire temporary employees to catch up?

Lack of access to backups // Build redundancy into your business interruption plan. Our third-party provider was making backups of backups. They were making nightly and weekly backups.

Once the ransomware attack started, however, the provider was unable to transmit any backups to us. It is better business practice to have backups in multiple locations and through at least two providers or your computer servers. Ensure the backups are in completely segregated systems. You can never be too careful.

Building in redundancy may be costly, but can you afford not to close a loan for five days? Private lenders promote the speed of execution in closing loans. What would happen if you could not close a loan for two weeks?

Hassle afterward // Lesser known is what happens after the attack. We were not ready for the lost time at the administrative and management level after the attack.

Expect to have follow-up calls with your cyber insurance provider, the third-party service provider and IT professionals. The most lost time we had afterward was related to describing the situation to our cyber insurance company, quantifying our loss and then negotiating a recovery with the third-party provider. You may even need to hire a forensic accountant to substantiate and quantify the lost revenue and impact on your private lending business and your customers.

Due Diligence

You may have taken every precaution available to mitigate exposure to a direct cyberattack on your company. Your network has firewalls and closed access points. Your backups have backups in segregated systems. Your employees have been trained to avoid spam and malicious email links. Your IT professional is regularly monitoring for ransomware and malware.

Have you ever wondered if your third-party accountant, fund administrator, servicing company, borrower or investor portal provider, or other third-party providers are taking the same measures?

With cyberattacks on the rise, you need to ensure that any significant service providers who have your borrower or investor names, addresses, tax identification numbers and banking information have secure cyberattack prevention practices and policies in place.

Here are a few due diligence questions to ask when selecting and engaging providers.

  • Does the provider have secure methods available to transmit sensitive data? 
  • What are the cyber-security prevention policies? Are all the provider’s employees aware of the procedure? 
  • Is the IT professional regularly checking the security of the network and firewalls or monitoring for access points multiple times during the year? 
  • Are there two-factor verification processes in place for transmitting wires and ACH payments? 
  • Does the service provider’s cyber insurance policy extend to cover you as well? Does it extend to cover your borrowers or investors? 
  • How is data backed up, how often and is it to multiple, separate locations? 
  • Are there preventions in place for remote or working-from-home employees to ensure firewalls and secure networks protect their computers? 
  • Does the company have portable hotspots for the employees who are traveling, so that your data is not accessed through public Wi-Fi? 
  • Does the provider use offshore staff, and how secure are their networks and firewalls? 

Be Proactive

The news features stories about large companies and government agencies falling victims to cyberattacks, such as the Pitney Bowes attack in October 2019. Private lending companies and CPA firms alike are great targets for hackers due to the amount of sensitive and confidential data we are entrusted with.

Many private companies choose not to disclose ransomware attacks, as they do not want to be perceived as being unsecure. We hope that by sharing our experiences of the indirect attacks, you can implement strong cybersecurity policies, business interruption and data recovery plans.