Ransomware recovery and long-term cyber governance support
Problem
A financial services firm suffered a major ransomware attack that resulted in complete encryption of its internal servers, causing widespread service outages and operational downtime.
The attackers gained unauthorised access to the company’s IT systems, disrupting operations and leading to financial and reputational damage. The firm’s fund manager refused to pay the ransom, resulting in a two-week recovery period. During this time, client services were heavily impacted and there was concern over potential exposure of sensitive personal information.
The incident also triggered regulatory scrutiny, with the UK regulator mandating a full-scale review of the firm’s cyber security posture.
Response
Toro provided immediate incident response services, overseeing containment, recovery and an investigation into the incident cause. Following the immediate crisis, Toro was engaged to provide virtual Chief Information Security Officer (vCISO) services and lead a structured cyber security improvement programme. This involved assessing weaknesses across people, processes, and technology, enhancing detection and response capabilities, and supporting the firm’s interactions with the UK regulator.
Outcome
The firm restored operational services without paying a ransom, and Toro’s involvement ensured a clear roadmap for recovery and remediation. A comprehensive two-year improvement programme, overseen by the regulator, was put in place to rebuild trust and demonstrate operational resilience. This programme, led by Toro, significantly strengthened the firm’s cyber security governance, risk management, and incident response capabilities, while reassuring clients and stakeholders of the firm’s long-term resilience.