Why Financial Services Can No Longer Rely on Ransomware Defense Alone: 10 Key Takeaways for CISOs

CISOs and industry leaders from Virgin Money, SoftBank, and Barclays reveal why prevention alone fails and what financial institutions must do to survive ransomware attacks

Ransomware continues to evolve as one of the most significant threats facing financial services organizations. In a recent Halcyon webinar, What Financial Services Organizations Need to Know About Ransomware Resilience, three leading cybersecurity experts—Jim Korchak (CISO at Virgin Money), Gary Hayslip (former SoftBank CISO, now at Halcyon), and Oliver Newbury (former Barclays CISO, now Halcyon Chief Strategy Officer)—discussed the tactical and philosophical shift required to combat ransomware in 2025 and beyond.

Their insights revealed an uncomfortable truth: no amount of preventive security controls can guarantee protection against ransomware operators. For financial institutions, the question is no longer if an attack can succeed, but whether your organization is resilient enough to maintain operations when it does.

Watch the complete webinar for comprehensive insights.

10 Key Takeaways for Financial Services CISOs

1. Prevention Alone Is Insufficient: Invest in recovery capabilities with the same rigor you apply to prevention. Test those capabilities regularly under realistic crisis conditions.

Korchak: "Prevention. If I invest enough in prevention, I don't necessarily have to worry about recovery on the other end. You can't think that way anymore. Recent events demonstrate that if somebody wants to bad enough, and they have the resources to do it, they'll find a way."

Hayslip: "One of the biggest things I was running into was, 'Well, we have backups, so we don't need to really invest in a lot of other things.' That's great, but do you understand how long it's going to take to backup 5,000 endpoints, or critical servers where you're making $300,000 an hour, and these things are down, and you're going to have to rebuild them all?"

2. Understand Your Containment Gap: Don't confuse backup restoration time with actual recovery time. Factor in containment, eradication, and verification phases that can take weeks.

Newbury: "People test their recovery time from backup and say, 'This is how long it takes me to recover.' But if that takes a week or two weeks, and you don't have the right strategy to contain and eradicate quickly, your overall recovery time is actually far bigger than you think. Before you can effectively restore, you need to have a clean environment, otherwise you're just restoring into an environment that's owned by the adversary."

Korchak: "You don't want to find out that restoring your backups takes a week because they're on tape somewhere. You need to go through every possible part, not just in the technology sense, but what's your media messaging gonna be? How are you gonna face off to the regulators? What about your ethical responsibility to disclose to other people within your industry?"

3. Practice Cross-Functional Response: Include legal, communications, business continuity, board members, and critical third parties in regular tabletop exercises.

Hayslip: "You can do incident response tabletops within IT and security teams so they're used to working together. But then you need to expand that out and do scenarios where you're dealing with the full business continuity team, and even get the board involved or executive leadership team, just so they understand who they would talk to depending on the scenario."

Newbury: "Having a really strong relationship with your general counsel ahead of a crisis is crucial because they're one of the most important actors, whether it's around disclosure or concepts around legal privilege as it relates to incident response and forensics. You don't want to be building relationships in the event of a crisis.

The panel also stressed that communications planning extends beyond media relations.  

Newbury: "In financial services, you have counterparties with which you're managing big transaction volumes. How do you talk to them? Are the people managing those relationships prepped and ready to be part of the communication strategy?"

4. Architect for Resilience: Build redundancy and isolation into system architecture. Don't assume cloud providers or vendors will ensure your resilience.

Oliver Newbury: "Operational resilience has moved forward from dusty plans, fairly disconnected from reality, into something much more real. Cyber resilience has changed operational resilience, particularly in the face of ransomware attacks where we've seen such devastating downtime."

Jim Korchak: "Here in the UK, the regulators passed something called the Operational Resilience Framework in 2021, and it forced organizations to really think more thoroughly about how to be resilient. Things like just presuming your cloud provider was going to provide you that resilience is no longer an acceptable thought."

Gary Hayslip: "So many companies had to go to the drawing board when they realized we're gonna have to go 100% remote. That alone brought boards together to say, how do we take a hit from a ransomware attack and still keep operating? It's not acceptable to be offline and shut down."

5. Focus on Identity Security: With attacks increasingly using valid credentials, identity and access management becomes your primary defense layer.

Newbury: "There's this trend now around attackers logging in, not hacking in. There are an increasing number of attacks where they don't need to start with a vulnerability. If the criminal's able to socially engineer your help desk to give them a valid credential and log in as a legitimate employee, no patching in the world is gonna save you."  

Korchak: "These are well-funded organizations run like businesses, and the cost of hacking through is considerably higher than getting a foothold via somebody clicking a link. The speed at which they can harvest social media profiles and come up with credible social engineering scripts is remarkable."

6. Prioritize Critical Third Parties: Identify your 20-25 truly critical vendors, audit them rigorously, and game out scenarios for losing access to each one.

Hayslip: "Of the 200-plus different SaaS apps and vendors we were dealing with, there were about 20 to 25 that we considered business-critical. Not only did we do the contract stuff, but we also audited them. We got their SOC 2s to see from a maturity standpoint where they were at. When we did tabletops, a lot of our scenarios were around these critical apps—if we lost them, what would we do next?"

7. Prepare for AI-Powered Attacks: Invest in automation and AI for defense to achieve machine-speed response against machine-speed attacks.

Hayslip: "The criminal syndicates doing ransomware are using agentic AI to test various types of ransomware attacks, to test their responses to shut off EDR, to slowly exfil data, and then drop the ransomware package. Agentic ransomware is gonna land on an endpoint, it doesn't need a human to operate."

Korchak: "We're seeing much more credible phishing emails coming through. The time to being prodded on zero days is now considerably faster than it used to be. We're heading towards a world where speed of human versus speed of machine is going to become one of the bigger cyber risks."

Newbury: "You can now generate exploits for a given CVE for only $2.74 using AI. At the moment, only 1% of the CVE database has exploits that exist for them, but if you can use AI to potentially up that to 50%, it becomes pretty scary. Thirty-day patching cycles are not going to live with that speed from adversaries."

8. Consider Advanced Recovery Options: Evaluate technologies that provide rapid recovery through encryption key capture, not just traditional backup restoration.

Newbury: "One of the things Halcyon does is offer you a third way between that board conversation of do you pay the ransom or do you restore from backup, which can take weeks. Our technology allows you to actually steal the encryption keys that adversaries are using, then use those same keys to begin reversing decryption in situ on the boxes that were actually affected. You can bring the infrastructure back to life at roughly the same speed it took the adversary to encrypt it.”

9. Build Muscle Memory: Regular drilling and exercising creates the muscle memory needed to respond effectively when attacks occur.

Newbury: "Making sure you're doing tabletop crisis simulations with your board. At the technical and SOC level, really drilling through what are the steps it would take to start to recover. Do I actually know how to get the data out of backups? How to restore? What things I do first?"

Korchak: "You don't want to be dreaming up what you need to do next when you're in those scenarios. It needs to be muscle memory. The first five times you go through it, you won't get it fully right. You'll need those findings from exercises and make sure you follow up."

10. Embrace the Basics: No matter how sophisticated your environment, cyber hygiene fundamentals remain critical.

Hayslip: "The biggest thing is cyber hygiene itself, the basics. The problem is the basics are boring. You've really got to pay attention to how you're protecting data, how you're managing authentication. Cyber is still cyber. It doesn't matter how advanced you get, you still have to follow basics all the time."

Watch the webinar on-demand for comprehensive insights

‍