Skip to main content

Resources

Examiners Want You Prepared for a Ransomware Attack with the R-SAT

Examiners Want You Prepared for a Ransomware Attack with the R-SAT

Developed for Bankers

On October 12, 2020, the Conference of State Bank Supervisors (CSBS), in conjunction with the Bankers Electronic Crimes Task Force (BECTF) and the U.S. Secret Service, introduced a new Ransomware Self-Assessment Tool (R-SAT) for financial institutions to aid in the effects of a ransomware attack.


So far, a handful of states have issued statements or guidance to financial institutions in their state requiring or recommending the R-SAT be completed “as soon as possible” and/or to submit the results to their state banking department by a specific date. Chances are if your institution is located in one of these states, you have received an email from examiners requesting that your institution complete the newly introduced R-SAT (Ransomware Self-Assessment Tool). While implementation of the R-SAT is a decision of each state bank commissioner, the following states have published statements related to the R-SAT:

  • Arkansas: The Arkansas State Banking Department is strongly encouraging state banks to complete the tool as soon as possible and to submit completed questionnaires to the State Banking Department by March 31, 2021. In addition, IT examinations scheduled between now and the end of the second quarter 2021 will include a review of the completed R-SAT. Also, they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
  • Georgia: The Georgia Department of Banking and Finance published the R-SAT stating, "it was developed to help financial institutions assess their efforts to mitigate risk associated with ransomware and identify gaps for increasing security."
  • Hawaii: The Hawaii Department of Commerce and Consumer Affairs Division of Financial Institutions (DFI) is working with the U.S. Department of the Treasury to schedule tabletop exercises around ransomware in the coming months for bank CEOs and members of their technical staff.
  • Massachusetts: The Massachusetts Division of Banks joined other state and federal agencies in announcing the R-SAT for mitigating the risks of ransomware.
  • Minnesota: The Minnesota Commerce Department encourages state financial institutions to complete the R-SAT tool as soon as possible. In addition, they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
  • Nebraska: The Nebraska Department of Banking and Finance encourages state financial institutions to complete the R-SAT tool as soon as possible. NDBF will review ransomware procedures and discuss the R-SAT with management and staff during the institution’s next examination. In addition, NDBF is working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
  • North Dakota: The North Dakota Department of Financial Institutions encourages state financial institutions to complete the R-SAT tool as soon as possible. ND DFI will review ransomware procedures and discuss the R-SAT with management and staff during the institution’s next examination. In addition, ND DFI is working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
  • Ohio: The Ohio Division of Financial Institutions emailed regulated institutions to respond to the agency’s request to complete the tool and to submit completed questionnaires on or before January 31, 2021, with plans for addressing ransomware risk, and whether that plan will include using the R-SAT or using another tool. In the near future, they will begin to discuss the R-SAT with bank management when conducting an IT exam.
  • Texas: The Texas Department of Banking will contact state regulated institutions during the first half of 2021 to discuss their progress with the R-SAT. In addition, IT examinations scheduled during the first half of 2021 will include a review of the financial institution's completed R-SAT.
  • Washington: The Washington State Department of Financial Institutions will contact state regulated institutions during the first half of 2021 to discuss their progress with implementing ransomware mitigation measures. In addition, IT examinations scheduled during the first half of 2021 will include a review of the financial institution's completed R-SAT. In addition, they are working with the US Treasury Department to schedule voluntary tabletop exercises in the coming months. 

 


The High Points

A few highlights from the October 13 press release and supplemental documentation that are noteworthy as you jump into the R-SAT:

  • Ransomware is currently the most visible cyber threat to community banking.
  • The rapid evolution of attack methods and potential destructive aftermaths necessitate a proactive review of your control environment.
  • Ransomware can result in the abrupt and unforeseen interruption of your critical services, including core banking systems.
  • Paying a ransom does not guarantee your information can be restored promptly or recovered at all, which could result in your institution's failure.
  • Payment to cybercriminals sanctioned by the Treasury's Office of Foreign Assets Control (OFAC) would be a crime that may risk violating OFAC regulations and potential costly monetary penalties (up to $20 million) and reputational damage to your institution.
  • Some areas of the R-SAT are technical and may require the assistance of third-party service providers for accurate completion.
  • Accurate and timely completion of the assessment, as well as periodic re-assessment. are encouraged.


The R-SAT is intended to provide an executive level view of improvement opportunities using non-measurable qualitative statements to gauge risk. Security professionals may find the tool constrained since quantitative results often drive tangible decision making and such measurables are not delivered in the R-SAT. Also, security professional adopting common security frameworks may find that the R-SAT’s compilation of practice statements do not identify gaps in implementing those frameworks. While the R-SAT may have limited capabilities for the security profession, the opportunity to discuss information security practices with the Board of Directors should be seen as a victory.


If your financial institution is located in one of the states listed above, you can anticipate that your next IT examination will focus on completing the R-SAT and discussion around your backup and efforts to implement multi-factor authentication (MFA). In addition, some agencies are expected to sponsor virtual tabletop exercises in the coming months.

 


A Detail Dive

The Ransomware Self-Assessment Tool (R-SAT) has 16 questions designed to help your financial institution reduce ransomware risks. The tool is specifically designed for community financial institutions.


The R-SAT provides executive management and the Board of Directors with an overview of the institution's preparedness to identify, protect, detect, respond, and recover from a ransomware attack. The R-SAT is an organizational risk assessment, strategic in nature, that evaluates the risk to your institution from the highest level based on what your institution has and does. The new tool should supplement your institution's tactical risk assessments, whereby the threat of ransomware is measured and mitigated to comply with the Gramm -Leach-Bliley Act (GLBA), documenting a comprehensive Business Continuity Management (BCM) Plan using a Business Impact Analyses (BIA), or in the development of Incident Response Plans (IRPs).


When completed, the R-SAT should provide a scorecard for executive management and the Board of Directors to develop a greater understanding of the institution's ransomware preparedness and areas where improvements can be made.


Topics of the R-SAT questionnaire include:

  1. Implementing a comprehensive set of security control frameworks (such as CIS Controls, COBIT, ISO, NIST, or PCI-DSS)
  2. Performing a gap assessment against that security framework
  3. Mitigating risk with cyber insurance
  4. Inventorying information assets and critical data
  5. Managing third-party vendor access controls
  6. Addressing ransomware in cybersecurity policies and risk assessments
  7. Remediating ransomware risk to acceptable levels
  8. Training employees regarding cybersecurity and ransomware
  9. Implementing controls for the backup of core processing and network administration
  10. Establishing preventive controls to identify an attack and protect data loss
  11. Testing incident response plans annually with executive participation
  12. Monitoring for malicious activity
  13. Coordinating a response to an incident
  14. Developing a comprehensive incident response plan
  15. Ensuring the availability of outside expertise
  16. Returning to normal operations

 


Implementing  Key Controls

Although no silver bullet can prevent a ransomware attack, implementing and maintaining fundamental cybersecurity controls will minimize the total loss of information. Two vital controls highlighted in the supplemental document "Ransomware Preparedness Minimizing the Risk of Total Loss of Records" include:

  • Maintaining a strong backup routine.
  • Implementing multi-factor authentication (MFA).


Your institution can fail in all efforts to prevent ransomware, but with true off-line, immutable, and restorable backups, your institution can usually minimize the risk of failure.


Additionally, the compromise of administrative credentials (username and password) is an essential step for criminals to deploy ransomware. Your institution should implement multi-factor authentication methods for all employees with administrative access. Furthermore, information stored in a cloud environment (outside of your firewall) should only be accessed with MFA methods.


The R-SAT is derived from the BECTF Best Practices for Banks: Reducing the Risk of Ransomware (June 2017). Prior to your initial completion of this tool, we recommend that you and your third-party provider become familiar with BECTF Best Practices and additional information provided in R-SAT guidance.


 

R-SAT Takeaways

Ransomware attacks continue to increase globally with no end in sight. Doing what you can to prevent a ransomware attack is critical to any organization’s ongoing operations, but being able to detect and respond to a ransomware attack is equally as important.


While the CSBS Ransomware Self-Assessment Tool is not a measurable, quantitative framework for mitigating ransomware risk, nor is it IT asset or system-specific, the R-SAT does provide a high-level overview of the controls your financial institution should be implementing and maintaining closely to mitigate the risk of ransomware attacks.

 


Written by: Shane Daniel
Vice President/Senior Information Security Consultant
 - SBS CyberSecurity


 

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Blog} Indicators of Compromise: If someone was in your network, would you know? If someone was sending your data out the back door of your network, could you tell? To answer these questions, you must first understand your networking environment and what "normal" in that environment looks like. How do you start to figure out what "normal" looks like on your network? Here's a start.
  • {Blog} 7 Steps to Building an Incident Response Playbook: Walk through the seven steps to creating an Incident Response Playbook tailored to your organization. A playbook allows you to document ways to mitigate the most risk regarding the riskiest Incident Response threats to your organization. Identifying relevant threats that could be extremely impactful to your network and creating walkthrough scenarios on how to counteract those threats helps your Business Continuity and Incident Response teams focus on what needs to be addressed first.

     

  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event. 

     

  • Ransomware Toolkit: Advancing your cybersecurity program isn't always a walk in the park. SBS has created this Ransomware Toolkit to help take your cyber program to the next level. 

     

  • Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team. 

     

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Incident Handler 


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, November 4, 2020
Categories: Blog