By: Mike Detrow, CISSP 

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020. The tool for banks is used to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security. 

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks¹.   

Key findings from the ransomware lessons report

This report identifies the following significant findings: 

• Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack 
• Lack of multi-factor authentication or improperly configured multi-factor authentication 
• Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation 

A new version of the R-SAT, released in October 2023, identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.   

Notable additions to R-SAT

Notable additions to the new version of the R-SAT include: 

• Specific questions added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack  
• A column was added in item 4 to identify services that are based in a cloud environment 
• Item 5 is a new question asking if any data is housed in a location outside of the United States 
• Item 10 now asks about the frequency of employee security awareness training  
• Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly 
• Item 12 identifies additional questions regarding backup data validation and recovery capabilities 
• Item 13 includes additional questions regarding the implementation of multi-factor authentication 
• Item 14 includes several new additional preventative controls that should be considered 
• Item 18 includes additional ransomware response procedures that should be included in the incident response plan 

Security control enhancements recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs, we also see value in: 

• Proper understanding of the use of cloud-based services and appropriate policies governing their use 
• Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session 
• Performing employee phishing tests at least quarterly rather than just once a year 
• Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications 

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack. Complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool 

Strengthening bank security against ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats.