Ransomware attacks on financial services firms climbed 30% in 2025, with 202 confirmed incidents — and early 2026 data suggests the pace is accelerating. In Q1 2026 alone, the financial sector recorded 65 incidents, a 76% increase over the same period last year. Investment firms now account for over 40% of all finance-sector ransomware disclosures.
Those numbers tell part of the story. What they don’t capture is what happens inside a firm during the first hour of an attack — and why that hour, more than any other, determines whether you’re dealing with a contained incident or a firm-ending catastrophe.
Most St. Louis RIAs, wealth management practices, and broker-dealers have some version of a response plan. Very few have a plan that’s specific, practiced, and structured around the actual sequence of decisions that need to happen in the first 60 minutes. This is that plan.
Note: Nothing in this article constitutes legal or compliance advice. Consult securities counsel or your compliance consultant for guidance specific to your firm’s obligations.
Why the First Hour Is Everything
Modern ransomware doesn’t trigger the moment it enters your network. Attackers typically dwell inside a financial firm’s environment for days or weeks before deploying the payload — mapping systems, escalating privileges, identifying backup locations, and positioning for maximum impact. By the time you see a ransom note on a screen, the intrusion is already mature.
What happens in the first 60 minutes of the visible event determines the blast radius. Every minute of hesitation allows lateral movement into additional systems. Every wrong decision — shutting down the wrong server, communicating over a compromised email system, delaying the call to legal counsel — compounds the damage.
Direct ransomware attacks on financial institutions climbed from 156 in 2024 to 202 in 2025, and early 2026 data shows 65 finance-sector incidents in Q1 alone — a 76% increase over Q1 2025. The firms that navigate those incidents best are the ones that already know what to do before the ransom note appears.
The firms that don’t are the ones still debating what to do while the encryption spreads.
Minutes 0–10: Stop the Spread First. Investigate Second.
The moment ransomware is suspected – unusual file extensions appearing, encrypted shares, a ransom note on screen, systems becoming unresponsive – the instinct is to understand what’s happening. Resist it. Understanding comes later. The immediate priority is stopping the spread.
Physically disconnect affected workstations. Don’t just log off. Don’t restart. Pull the network cable or disable the network interface entirely. A workstation that’s disconnected can’t propagate the attack to file servers, other endpoints, or shared drives. One that’s simply logged off still can.
Isolate affected network segments at the switch or firewall level. If you can identify which segment is compromised, isolate it. If you can’t, segment everything and work backward from a clean state. The cost of briefly disrupting clean systems is far lower than the cost of allowing the encryption to spread to all of them.
Do not shut down servers without guidance. This is a critical and counterintuitive point. Some ransomware variants accelerate encryption on shutdown. Beyond that, forensic evidence – active process memory, network connections, and encryption keys – lives in RAM and is lost permanently when a server powers off. Unless instructed by an incident response professional, leave servers running and isolate them at the network level instead.
Do not attempt remediation yet. The urge to “fix it” – deleting suspicious files, running malware scans, and reverting configurations – is understandable and almost always harmful at this stage. You may destroy evidence you’ll need for forensics, insurance, and regulatory response. Stop the spread. That’s it.
Minutes 10–25: Scope the Damage Without Making It Worse
Once the immediate spread is contained, the goal shifts to understanding the scope of the incident while being careful not to introduce additional exposure in the process.
Categorize your systems into three buckets: confirmed clean, confirmed infected, and unknown. This matters because your recovery sequencing depends on it. Don’t assume a system is clean because it appears to be functioning normally; some encryption processes run silently in the background.
Check firewall logs for outbound connections. This is the question that changes the legal and regulatory complexity of your incident: did data leave the building before the encryption triggered? In 2025, the financial services industry saw data encryption from ransomware hit 59%, above the 50% average rate across all industries. But encryption is increasingly paired with exfiltration – attackers steal data first, then encrypt, giving them two forms of leverage. Knowing whether data exfiltration occurred is not an IT question; it’s a compliance and legal question with a hard regulatory timeline attached to it.
Determine when the infection likely began. This is where most firms are surprised. The ransom note is not the beginning of the incident, it’s the end of the attacker’s setup phase. Modern ransomware typically dwells in a network for days or weeks before the payload triggers. Your incident response timeline, your forensic investigation, and potentially your regulatory notification window may all extend back much further than the moment the attack became visible.
Use out-of-band communication from this point forward. If your email system is potentially compromised – and during an active ransomware event, you should assume it might be – stop using it for incident response communication. Use personal phones, text messages, or a pre-established out-of-band communication channel. An attacker who still has access to your email environment can monitor your response in real time.
Minutes 25–40: Legal and Regulatory Notifications Begin Now
This is the window where most MSPs underperform, and where the cost difference between a well-prepared firm and an unprepared one becomes most acute. Ransomware in a financial services firm is not just an IT event. It is simultaneously a legal event, a regulatory event, and a client communication event — and the clocks for each are already running.
Notify firm principals and legal counsel immediately. The decision to engage outside counsel, notify regulators, and communicate with clients is not an IT decision. It is a business and legal decision, and it needs to be made by the people with authority to make it. Get them on the phone now, using personal devices.
Engage your cyber insurance carrier. Most policies require prompt notification and, critically, require you to use their approved incident response vendors. Using a non-approved IR firm, even a competent one, can void your coverage entirely. Your cyber insurance carrier information should be in your incident response plan, documented offline, and known by more than one person in the firm.
Understand your regulatory notification obligations before you need them. Under the SEC’s amended Regulation S-P, RIAs must notify affected customers within 30 days of discovering unauthorized access or use of sensitive customer information, and service providers must notify the RIA within 72 hours of discovering a breach. Smaller RIAs must comply with these requirements effective June 3, 2026. The 30-day clock starts from discovery, which means it may already be running.
For FINRA-registered firms, additional notification and supervisory obligations may apply depending on what data was accessed. Counsel needs to make those determinations, but they need to be in the loop immediately to do so.
Do not issue client communications yet. This is not the time for client notifications. Premature, inaccurate, or legally unreviewed communications during an active incident create additional liability. The notification will come, but it needs to be accurate, reviewed by counsel, and timed appropriately. What you’re doing in this window is getting counsel engaged so they can prepare that communication properly.
Minutes 40–60: Establish Your Recovery Baseline and Posture
With containment in place and the right people engaged, the final segment of the first hour shifts toward positioning the firm for recovery while ensuring the investigation can proceed cleanly.
Confirm backup integrity and identify your last known clean backup point. This is your recovery baseline. The questions you need to answer: Do your backups exist and are they accessible? Are they isolated from the infected environment, or could they have been compromised as well? What is the most recent backup that predates the likely infection point, which, as noted above, may be days or weeks before the visible event?
Many financial firms discover at this moment that backups they assumed were running haven’t been tested, or that backup systems were on the same network segment as infected systems and are themselves encrypted. Only 44% of financial organizations said they used backups to successfully restore data after a ransomware attack in 2025, down from 62% in 2024. The gap between “backups are running” and “backups are recoverable” is where many firms find themselves during the worst possible moment.
Stand up out-of-band communication for the firm. Your primary systems may be down for an extended period. Advisors still need to be able to reach clients, custodians, and each other. Establish a communication bridge – a shared channel, personal email, or phone bridge – that allows the business to function at a basic level while primary systems are being recovered. For RIAs specifically, identify the out-of-band path for custodian contact and trade execution that doesn’t depend on internal systems.
Document everything with timestamps from this moment forward. Your cyber insurance claim, your regulatory response, any litigation that follows, and the client notification you’ll eventually send all depend on a clear, timestamped incident timeline. Who identified the incident? When? What actions were taken and in what order? Who was notified and when? Start this documentation now and maintain it through the entire response. Every decision, every call, every action – written down, with a time.
Begin IR vendor engagement if your internal team cannot handle forensics. Forensic investigation of a ransomware event requires specialized expertise that most internal IT teams, and most generalist MSPs, don’t have. If your cyber insurance carrier’s approved IR vendor hasn’t already been contacted, initiate that engagement now. The forensic investigation is what will ultimately answer the hardest questions: How did the attacker get in? How long were they present? What data did they access or exfiltrate? What does regulatory notification actually require?
The Most Common Failure in the First Hour: Indecision
In reviewing how financial firms handle ransomware events, the pattern that causes the most damage isn’t a wrong decision, it’s the absence of a decision. Waiting to be certain before acting. Waiting for confirmation before isolating. Waiting to call counsel until the situation is “fully understood.” Waiting to notify the insurance carrier until Monday morning.
Ransomware moves faster than deliberation. The playbook above works because it removes the need for deliberation in the moment — the decisions are already made. You isolate first, then investigate. You call counsel before you fully understand the scope. You notify the carrier before you’ve assessed the full damage. You document before you’re certain anything will matter.
In 2025, financial organizations shelled out an average of $1.74 million to fully recover after a ransomware attack – and that figure represents direct recovery costs alone. It doesn’t capture regulatory penalties, client attrition, reputational damage, or the internal operational cost of weeks of disruption. The firms that contain that damage are the ones that act first and verify second.
What Needs to Be in Place Before This Happens to You
The 60-minute playbook above is only executable if certain things already exist. If they don’t, the first hour becomes improvisation – and improvisation under pressure, against a prepared adversary, in a regulated environment, rarely ends well.
An incident response plan that’s documented, offline, and practiced. The plan needs to exist somewhere other than your email system and your file server, both of which may be inaccessible during an attack. It needs to include your cyber insurance carrier contact, your approved IR vendor, your legal counsel, and the regulatory notification requirements specific to your firm type and size.
Cyber insurance with confirmed ransomware coverage and known requirements. Many firms discover during an event that their policy has gaps they didn’t know about, or that they’ve used a non-approved vendor and voided their coverage. Know your policy before the event, not during it.
Tested, isolated backups with a documented recovery process. Backups that haven’t been restored are assumptions, not protections. Under Regulation S-P and FINRA expectations, tested backups, with documented results, are an expectation, not a best practice.
A network architecture that limits lateral movement. An attacker who compromises one workstation in a flat network can reach everything. Hard VLAN segmentation, privileged access controls, and zero-trust principles limit the blast radius of any single point of compromise.
Endpoint detection and response, not traditional antivirus. 66% of financial services respondents in Sophos’ 2025 ransomware report cited lack of or poor-quality protection as a root cause of their attack. Behavioral EDR detects the pre-encryption activity – the lateral movement, the privilege escalation, the backup deletion – that signature-based antivirus misses entirely.
How Alliance Tech Helps St. Louis Financial Firms Stay Prepared and Secure
The 60-minute playbook is only as good as the preparation behind it. At Alliance Tech, we work with St. Louis RIAs, wealth management firms, and financial services organizations to build the technical foundation that makes incident response executable, not just documented.
That means network architecture designed to limit lateral movement, endpoint detection and response that catches pre-encryption behavior, backup systems that are tested and isolated, and the managed IT environment that gives you visibility into your systems before an incident occurs. We also help firms structure the incident response documentation, vendor notification requirements, and technical controls that Regulation S-P and FINRA now expect to find in place during examinations.
If you’d like an honest assessment of where your firm stands against the scenarios in this article, we’re ready to have that conversation.
Give us a call or schedule a free assessment online. We’ll give you a clear-eyed read on your firm’s readiness before the first 60 minutes begins. We serve financial firms in St. Louis and Grand Rapids.
