How Would Your Scheme Handle a Ransomware Attack? 

Crisis ManagementRisk ManagementMarket Data
Written By Ian McKinlay

This blog is a bit different to our usual - it's an urgent call to action. 

We bring attention to a backdrop of elevated geopolitical risks.  We believe the current likelihood of a crisis event impacting your scheme to be much higher than normal.  Whilst our broader point is that pension funds need to get fitter to 'win' a crisis event, we focus on one particular scenario which pension funds should prepare for now. Namely, a Ransomware Attack.   

Background  

For some years Avida has supported pension schemes in preparing for crisis events.  Sometimes light touch, identifying areas of potential prone-ness and helping form a response.   

Our most impactful work has been with schemes who 'wargame' specific scenarios, in live exercises. This is what banks, insurers and fund managers do. This demonstrates resilience to regulators, and of course shareholders.   

Our experience is that whilst pension funds think a lot about risk, maintain Risk Registers, and some in-house risk focused resource, they're well behind best practice followed by other large financial institutions.  There's limited (if any) rehearsal of plausible scenarios, and little muscle memory of how to respond.  Sure, most funds will have business continuity plans, but these largely focus on IT outages and in any case the response is often 'owned' by the bigger organisation. I.e. not pension fund specific.  This leaves the scheme prone to bad outcomes during acute crisis events. 

Our clients, having gone through these exercises, have used it as a catalyst to achieve more resilience. 

 

Avida's Approach to Crisis Scenarios 

Avida retains a bank of scenarios in the following areas (high level examples are given for 'flavour'): 

  1. Systems Shock: could be a cyberattack but not necessarily; n.b. this is directly 'in-house'.  Systems outages at a suppliers would be dealt with under Provider Shock 

  2. Reputational Shock: e.g. private assets linked to slavery; failure to pay pensions; unethical practices; public 'shaming' (however fair or unfair) 

  3. Provider Shock: DC platform collapse; business default (e.g. buy-in provider); market withdrawal; systems outage at a supplier, e.g. pensions admin 

  4. People Shock:  CIO team leaves en masse; mass coincident sickness of key decision makers  

  5. Market Shock:  Asset prices move flowing through to operational issues, typically driven by excess or hidden leverage or 'thin' cash positions; counterparty default 

  6. Sponsor/Funder shock: collapse in creditworthiness; failure of DC Funder to honour obligations; withdrawal of credit lines; failure of contingent asset arrangements/credit lines 

 

Many events cause upheaval to the running of a pension scheme but they're often regulatory, well signalled.  Or (if market driven) within expected tolerances.  Instead, we're dealing with acute events with big impact.  The 2020 pandemic, the 2022 LDI shock, are recent examples, 'unimaginable', but still happened. 

Readers will be aware of the development of so-called hybrid warfare, though probably not exposed directly - or so they might think.  Read on! 

 

A topical scenario - Ransomware Attack  

Avida recently carried out a live exercise assuming the client experienced a ransomware attack.  Our exercises are always client specific (after consultation); the following gives a flavour.  Scenario details (which are plausible, but extremely troubling, we admit!) are in the Appendix.  Here's a summary, with high level outcomes. 

‘Upon signing-on (i.e. booting up), your computer presents a message.  Network security had been breached; essential systems compromised.  Critical files and systems are now encrypted, sensitive data has been extracted.  You have no access without an encryption key.   

You're given 72 hours to pay [x] Bitcoin into [Y] account, upon which you'll be provided with a verifiable encryption key. 

Failure to comply, or any attempt to recover data or involve law enforcement will result in permanent deletion of your files.' 

 

The exercise explored readiness, and the dynamism of response and ownership across the scheme's relevant pension functions.  Recognising that not all crises are the same, and that some gaps had been identified, the scheme developed an ongoing programme of readiness and a crisis playbook. 

Full details are beyond the scope of this blog, but the outcome covered: 

  • Creation of situational awareness, crisis 'sensing', considering the impact across relevant stakeholders of different 'types' or crisis 

  • Specifically, how an immediate response to any crisis would be initiated and managed 

  • Subsequent communication with stakeholders and media 

  • Crisis organisation, leadership and information/project management (including suppliers) 

  • Board room, team dynamics and behaviours 

Whilst no crisis is the same, the value of rehearsing this Ransomware scenario seems more 'live' than many we can think of. 

 

How can Avida help? 

We train organisations to improve their responsiveness to deal with unlikely crisis scenarios.  Typically, the client engages us for a series of real-life training experiences to build muscle memory at multiple levels. 

As experts in the way investment and other pension operations interact, we help identify areas particularly prone in a crisis.  This goes beyond maintenance of Risk Registers and the 'usual' risk RAG ratings, creating capability for dynamic response to 'win' the crisis, thereby protecting the scheme and members' interests. 

The Avida approach has been to develop scenarios based on real life experiences.  We collaborate with professionals in the industry, military and medical domain. 

Appendix – Ransomware Scenario 

 

Imagine a regular Friday morning early December, 9am. Your start up your computer and the following message pops up:  

Attention!  

Your critical files and systems have been encrypted, and any attempts to access them without a decryption key will fail. We have taken additional measures to ensure your data is locked until you comply with our instructions.  

What Happened? Your network was breached, and essential systems were compromised. We encrypted your data and extracted certain sensitive information. Attempts to bypass or ignore this encryption will result in the permanent loss of your data and may trigger further actions on our end.  

 

What You Need to Do  

  • You have 72 hours to comply with our demands, starting from the time this message was delivered. 

  • To recover your data, you must pay 3 Bitcoin (BTC) to the following address: 1FfmbHfnpaZjKFvyi1okTjJJusN455paPH  

  • After payment, we will send a decryption tool and instructions for restoring your systems.  

  • Failure to comply within the given timeframe will result in the permanent deletion of your files.  

 

How to Make the Payment  

  1. If you do not already have Bitcoin, search online for instructions on purchasing it through exchanges like Binance or Coinbase.  

  1. Send the payment to our specified address, provided above.  

  1. Once payment is confirmed, we will provide the decryption key and guide you on recovery.  

 

Important Note Any attempts to tamper with our encryption, contact law enforcement, or deploy cybersecurity specialists to counter our encryption may lead to complete data loss and further disruption of your services.  

  

Proof of Decryption  

If you need assurance, contact us at [darkmail@onionmail.com]. We will decrypt a single file to prove we have the decryption key.  

Your Deadline: 72 hours from receipt of this message.  

Failure to pay will result in data loss and potential publication of your sensitive information online. Choose wisely. 

 
Ian McKinlay

Senior Advisor

https://www.linkedin.com/in/ian-mckinlay-ffa-56764194/
Previous

IPE Conference & Awards 2024
Next

How big does a scheme need to be to run-on and do it well?