When a company falls prey to a cyber attack, the standard response is often to clam up, say as little as possible – at least publicly – and work behind the scenes to clean up the mess.
This is the playbook Ion Group, a supplier of trading and risk management software to financial firms, followed when its servers became infected with ransomware at the end of January. After the affected services were taken offline, it took hours for some clients to confirm the cause of the outage. The lack of information frustrated customers and regulators alike and stoked fears of systemic risk.
Ion’s only public statement on the matter was a three-sentence notice posted on its website later that day confirming some of its servers had been disconnected following a cyber attack. “Further updates will be posted when available,” the note added. They weren’t.
The vacuum of information – and accountability – that typically follows a hack only feeds the problem
When the financial press began reporting on the outage on February 1, it was the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection that contacted…
