On October 13, 2020, state financial regulators in partnership with the Bankers Electronic Crimes Taskforce and the U.S. Secret Service, released the Ransomware Self-Assessment Tool (R-SAT) to help financial institutions mitigate the risks of ransomware. The R-SAT is a detailed questionnaire designed to evaluate the effectiveness of an institution’s general security controls as well as to assist its executive management and the board of director in identifying, responding, and recovering from a ransomware attack. For example, the R-SAT includes questions regarding:
- Adherence to a comprehensive set of security control frameworks (such as CIS Controls, COBIT, ISO, NIST, or PCI-DSS);
- Performance of a gap assessment against that security framework;
- Presence of a valid cyber policy that addresses ransomware;
- Identification of information resources; and
- Third-party vendor access controls.
For banks, the R-SAT is not simply general guidance that may result in additional regulatory inquiry. State banking commissioners across the country are releasing this tool to their institutions, which means that these questions could be asked in the process of regulatory oversight. In particular, the Texas Division of Banks stated that it will contact institutions in the first half of 2021 to “discuss [the institution’s] progress in implementing ransomware mitigation as well as all aspects of the R-SAT.” It also noted that information technology examinations scheduled in the first half of 2021 will include a review of the financial institution’s completed R-SAT.
With this release, state financial regulators remind financial institutions to be vigilant against increasingly sophisticated ransomware attacks. Regulators also remind financial institutions that paying a ransom could expose financial institutions (and incident response consultants) to civil penalties if the payment is made to a cybercriminal sanctioned by Treasury’s Office of Foreign Assets Control (OFAC) (Alston recently covered OFAC’s ransomware advisory here).
Although “there is no single measure to prevent ransomware attacks,” state financial regulators stress that strong backup practices and the use of multi-factor authentication are two of the most important. In many respects, the R-SAT continues to affirm good cyber hygiene in accordance with existing cybersecurity frameworks and industry best practices.