The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020 as a tool for banks to use to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security.
A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks1.
Key Findings from the Ransomware Lessons Report
This report identifies the following significant findings:
- Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack
- Lack of multi-factor authentication or improperly configured multi-factor authentication
- Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation
In response to the findings identified in this report, a new version of the R-SAT was released in October 2023 that identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.
Notable Additions to R-SAT
The notable additions to the new version of the R-SAT are identified below:
- Specific questions were added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack
- A column was added in item 4 to identify services that are based in a cloud environment
- Item 5 is a new question asking if any data is housed in a location outside of the United States
- Item 10 now asks about the frequency of employee security awareness training
- Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly
- Item 12 identifies additional questions regarding backup data validation and recovery capabilities
- Item 13 includes additional questions regarding the implementation of multi-factor authentication
- Item 14 includes several new additional preventative controls that should be considered
- Item 18 includes additional ransomware response procedures that should be included in the incident response plan
Security Control Enhancements Recommended by Young & Associates
Through the IT Audits and consulting work that Young & Associates performs for community banks and credit unions, we also see value in the following security control enhancements:
- Proper understanding of the use of cloud-based services and appropriate policies governing their use
- Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session
- Performing employee phishing tests at least quarterly rather than just once a year
- Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications
To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack and complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool
Strengthening Bank Security Against Ransomware
As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats. Should you have any questions about this article, please reach out to Mike Detrow, Director of Information Technology, at [email protected] or contact us on our website.
