As we continue our discussion with Senior Director of Cybersecurity Policy and Supervision for the Conference of State Bank Supervisors (CSBS) Brad Robinson, we delve deeper into the intricacies of the Ransomware Self-Assessment Tool (R-SAT) crafted by CSBS, and we embark on a journey to demystify the intricacies of ransomware defense. Our dialogue with the architects of the R-SAT has uncovered a trove of insights, which we’re excited to share as we tackle the most pressing questions posed by clients during the assessment. This exploration will shed light on the foundational questions within the identify/protect domain. Join us as we navigate the intricate maze of cybersecurity measures, providing clarity and guidance every step of the way.
Identify/Protect Domain: R-SAT FAQs
The R-SAT commences with a pivotal query regarding the institution deploying a comprehensive control suite to thwart cyberattacks, listing potential frameworks. Is there an optimal number of frameworks an institution should adopt? Does a greater quantity equate to enhanced security?
There are some institutions that do find benefit in adopting more than one framework, but that really is a function of each individual institution’s specific needs. Although examiners see multiple frameworks in use on occasion, it appears to be more prevalent in larger banks. Smaller banks may find it sufficient to stick with one framework. However, there is really nothing stopping a bank of any size from gravitating to multiple frameworks if they find benefit in doing so. There really aren’t any definitive statistics supporting it, but I think it would be a safe assumption that an institution using multiple frameworks might benefit from the different nuances and approaches that each provides. But, in the end, that decision to utilize multiple frameworks is ultimately up to the institution.
Following the initial assessment, the R-SAT probes the thoroughness of a gap analysis on these controls. Could you provide some examples of what constitutes a satisfactory gap analysis?
Gap analysis is key to understanding where the institution is and where it needs (or wants) to be with respect to its cybersecurity posture. If a bank understands the controls applicable to an “expected” maturity or profile level, then that careful analysis allows for the clearer identification of things that may be missing. At the same time, most of these available frameworks, including the NIST 2.0 Cybersecurity Framework, provide profiles or tiers that can serve as a sort of benchmark for where the institution is and where it needs or wants to be with respect to its cybersecurity risk management practices. For example, in NIST 2.0, there are four progressive “tiers” designed to help inform the institution’s current and targeted organizational profile. The tiered approach used in these profiles allows the institution to focus on very specific desired control goals for their cybersecurity program. The gap analysis simply provides a bit of a clearer roadmap for the institution to achieve its posture goals.
The third question inquires about the existence of cyber insurance and seeks the insurer’s name. What significance does the specificity of this question hold?
When a ransomware attack occurs, there are a lot of actions — both technical and administrative — that a bank must take, and benefits from cyber insurance policies can provide valuable assistance to the bank both during and after an incident. This question was enhanced from the previous version to encourage a deeper examination of the specific benefits that might be offered through their policy. The hope is that the specificity of the question will encourage a deeper periodic review of policies — much like life insurance and E&O policies are regularly reviewed. The inclusion of the insurer’s name, as well as the checklist of potential benefits from these policies, are simply tools to enable a clearer understanding of what benefits the bank might (or might not) have at its disposal in the event of an incident. At a high level, understanding the role that breach coaches and other services play can also help guide the bank’s incident response planning efforts since third-party assistance often plays such a large role in recovery when an incident occurs.
The query also delves into the policy’s scope, including “Data Retention Services.” Could you define this service?
As a bank deals with containing an incident and restoring systems, one would certainly expect the institution’s IT teams to focus on immediate remediation and containment. However, as the bank carries out these activities, there may be unintended consequences from the standpoint of enabling forensic investigation and/or addressing any post-incident litigation that might occur (for example, if drives are wiped without imaging or valuable log data is deleted). This bullet point consideration is really meant to help banks, particularly those smaller institutions with limited internal technical resources, understand whether the insurance company — via the breach coach and/or engaged supporting teams — might provide assistance or consultation to the institution’s IT teams regarding the retention and preservation of needed data artifacts in the heat of the incident remediation process.
The fourth question may appear straightforward, yet understanding the deployment of systems — be it cloud-based, in-house, or outsourced — is crucial within the R-SAT’s framework. Why is this distinction vital?
The modern financial institution, driven by necessity, economics, or convenience, may utilize third parties (including cloud providers) to manage the critical functions of the institution (e.g., core processing, loan origination, and data storage). And because the management of these critical functions and systems can vary significantly depending on how they are implemented within the institution, we felt that it was important that we included a question to encourage thought and awareness of how these functions are situated. In addition, processes around vendor management, incident response, and business continuity are better enabled when the management and placement of these critical functions are better understood by the institution.
The fifth question emphasizes the importance of geographical awareness of data storage. What insights does this knowledge impart?
Data privacy regulations can vary significantly across different nations, which can present unintended issues for the unaware institution. And because financial institutions can and do utilize vendors having locations all over the world for services like virtual private networks, backup, and storage, we felt it was important that institutions have that awareness of where their data was located, as well as the regulations it might be subject to in those various geographies.
The sixth question investigates the nature of third-party vendors’ access to systems. What conclusions should be drawn from this inquiry?
Although this question has a few different moving parts, the ultimate purpose of this question is to get institutions thinking about which third parties have access to their “crown jewels,” how they connect to institution systems, and the nature of controls these third parties have (or don’t have) in place to protect the institution’s environment and data. It’s really not possible to assess or manage third-party connections without understanding where those connections are taking place. Believe it or not, the nature of these connections is not always well understood in all institutions. Mirroring the general spirit of the R-SAT as a thought-provoking exercise, this question will hopefully lead to institutions having a better understanding of the connections and, through identification of third-party controls, allow the institution to identify and address those connections that may not be as secure as they should be.
The 10th question spotlights employee training. Why is this aspect critical, and what role do end-users play in safeguarding institutional networks from ransomware?
From a personal perspective, I think employee training and awareness are essential in today’s environment, and that view is widely shared among both state and federal regulators. A very high percentage of cyber events get their start from the innocent actions of humans falling for phishing emails, clicking on links to nefarious websites, and entering access credentials on phony websites. Threat actors are quick to take advantage of human curiosity and the fact that we are all extremely busy — both factors that can lead to the introduction of threat actors into institution systems. We collectively feel that forming and maintaining a continuous culture of cyber awareness among every single employee is critical to reduce the likelihood of exploitation of the human factor. Training programs that are provided only once annually may or may not be sufficient to foster this necessary year-round awareness in all employees, and training programs that are limited in subject matter may not expose employees to the wide spectrum of evolving threat actor tactics they are likely to see on a daily basis. Unfortunately, there is no one “correct” universal solution to the issue of training, but hopefully, this question will encourage institutions to more closely evaluate both the frequency and content of their training efforts as it relates to their own institution’s needs. And certainly, more is better on all fronts.
Question 14 requests an indication of specific control implementations. Amidst frequent queries, does an institution need to have all 15 controls in place? Is there a threshold for success, such as 10 out of 15 controls?
Because the complexity and composition of control implementations vary, to some extent, based on institution size and complexity, there is no one universal set of controls that one would expect to see across the breadth of institutions in this country. That being said, the controls listed in this question are widely recognized as best practices, and some of the controls, including patch management, change management, and access management, are specific points of emphasis during regulatory examinations. In an ideal world, each of these controls would be implemented in every institution. However, understanding the wide variety of institution sizes and complexities, it is our hope that institutions not utilizing some of the listed controls will use the results of the R-SAT to evaluate the appropriateness of potentially implementing those controls in their individual institutions. Finally, listing these controls as we have in this question may also introduce some institutions to controls that they may not have previously considered. Again, it all boils down to the use of the completed R-SAT as a vehicle to encourage evaluation and discussion of controls in place within the institution.
Lastly, why is it crucial to include ransomware in tabletop testing of the incident response plan?
I think we can all agree that ransomware is a huge problem for financial institutions (after all, it’s why we’re here talking about the R-SAT). Threat actor tactics are constantly evolving, as evidenced by the double and triple extortion techniques we’ve begun to see utilized against financial institutions. Responding to a ransomware attack requires rapidly executed and comprehensive actions from a variety of institution staff, including technical, administrative, and management teams. As such, it is imperative that the institution is as prepared as it possibly can be to execute its incident response plan when an incident occurs. Incident response exercises are analogous to a football team practicing for a big game. In both instances, poor practice generally leads to poor performance. Outside of real-world implementation of the plan in response to a live incident, scenario-based tabletop exercises likely provide the most effective means for an institution to examine the finite aspects of their planned response in a controlled, risk-free environment. All personnel and teams with assigned roles and responsibilities in the incident response plan should participate in the exercise and understand their specific duties, as there is no room for confusion when time is of the essence during an attack. And, importantly, material shortcomings identified during the exercise should be immediately addressed, with remediation of any weaknesses in the plan being tracked to completion.
The goal here is to discover and remediate potential weaknesses in the plan during a time when there is no impact on the institution. Conversely, a broken incident response plan will most certainly lead to poor outcomes during a real-world ransomware incident. It may sound like hyperbole, but the very lifeblood of the institution may depend on its ability to execute a coordinated, current, and thoroughly tested incident response plan.
Continue Your Journey with the R-SAT
As we wrap up part two of this series, we hope this deep dive into the identify/protect domain of the R-SAT has provided you with valuable insights and practical guidance for strengthening your institution's cybersecurity measures. Our conversation with Brad Robinson has illuminated the complexities and nuances of ransomware defense, offering a clearer understanding of the foundational questions within this domain.
Stay tuned for part three, where we will explore the remaining questions on the R-SAT. We will continue our mission to demystify this crucial assessment tool and help your institution navigate the labyrinth of cybersecurity challenges with confidence. Your journey to a more secure future continues here.
Fight Cyber Threats
Run a comprehensive assessment of your preparedness for an incident and get specific recommendations to enhance your readiness for the future.
Read MoreConduct an assessment that thoroughly examines policies, processes, and technical implementations to ensure that they align with the standards outlined in the NIST framework.
Read More