NOTE: This article may contain outdated information. See the updated article for details: Updated Ransomware Self-Assessment Tool (R-SAT 2.0).
* * * * *
As states announce their intentions for the new R-SAT, we will add them to this list. We expect most state-charted institutions will be contacted about completing the R-SAT. Read our Ransomware Self-Assessment Tool (R-SAT): What Banks and Credit Unions Need to Know article to learn the whos, whats, and whys of the R-SAT.
To recommend any updates or corrections to state expectations, please email info@tandem.app.
Alabama
The State Banking Department of Alabama reached out to bank presidents via telephone and email requesting they complete the R-SAT by January 1, 2021.
Arkansas
The Arkansas State Banking Department is strongly encouraging state banks to complete the tool as soon as possible and to submit completed questionnaires to the State Banking Department at asbd@banking.state.ar.us by March 31, 2021. In addition, IT examinations scheduled between now and the end of the second quarter 2021 will include a review of the completed R-SAT. Also, they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
https://banking.arkansas.gov/news/153/self-assessment-tool-for-mitigating-the-risks-of-ransomware
California
The California Department of Financial Protection and Innovation (DFPI) emailed California state-chartered bank CEOs introducing the ransomware self-assessment tool. The email encourages banks to complete the tool as soon as possible and states the DFPI will include ransomware preparedness assessments in future IT examinations. In addition, they are working with the U.S. Treasury Department to schedule tabletop exercises in coming months for bank CEOs and a member of their technical staff.
Georgia
The Department of Banking and Finance published the R-SAT stating, "it was developed to help financial institutions assess their efforts to mitigate risk associated with ransomware and identify gaps for increasing security."
https://dbf.georgia.gov/banks-holding-companies/publications-and-guidance
Hawaii
Bank regulators in Hawaii are working with the U.S. Department of the Treasury to schedule tabletop exercises around ransomware in the coming months for bank CEOs and members of their technical staff.
http://cca.hawaii.gov/blog/release-self-assessment-tool-available-for-banks-to-battle-ransomware/
Iowa
The Iowa Division of Banking sent a letter to bank presidents and CEOs informing them of the risks of ransomware and the purpose of the R-SAT, stating the tool is a voluntary resource to help banks assess the risks of ransomware. They also said they will be working with the U.S. Treasury Department to schedule tabletop exercises with bank CEOs and a member of their technical staff.
Kansas
The Office of State Bank Commissioner of Kansas (OSBC) has sent two emails to financial institutions in Kansas. The first email introduced the the R-SAT as another tool towards proper awareness and controls to prevent the growing threat of ransomware and encouraged banks to complete the tool. The state completed R-SAT documents will be requested and reviewed by OSBC staff during future IT examinations. The second email invites institutions to attend a virtual ransomware tabletop exercise hosted by the CSBS and the Treasury Department scheduled for December 8th.
Maine
The Bureau of Financial Institutions, addressing Maine State-Chartered Financial Institutions, emailed CEOs introducing and providing a copy of the R-SAT. They stated that due to the extreme impact ransomware can have, the Bureau's examiners will continue to review institutions' established policies and procedures to prevent ransomware as part of their regularly scheduled safety and soundness examinations. They also stated they are working with the US Treasury Department to potentially schedule voluntary tabletop exercises in the coming months for CEOs of financial institutions together with members of their technical staff.
Maryland
The Maryland Office of the Commissioner of Financial Regulation sent an email to Maryland Banking Executives encouraging state chartered financial institutions to complete the tool as soon as possible. In addition, the email stated that state examiners would be contacting institutions during the first half of 2021 to discuss the questionnaire and progress on implementing the ransomware mitigation measures, and that tabletop exercises would be scheduled for bank CEO's and a member of their IT staff.
Massachusetts
Massachusetts joined other state and federal agencies in announcing the R-SAT for mitigating the risks of ransomware.
Michigan
The Michigan Department of Insurance and Financial Services emailed Michigan bank executives introducing the ransomware self-assessment tool. They encourage institutions to complete the tool as soon as possible as they believe banks will find it a very helpful resource. They will be discussing the R-SAT during upcoming examinations. In addition, they are working with the U.S. Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
Minnesota
The Minnesota Commerce Department encourages state financial institutions to complete the R-SAT tool as soon as possible. In addition, they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
https://mn.gov/commerce-stat/pdfs/self-assessment-tool-mitigating-risks-ransomware.pdf
Ohio
The Ohio Department of Commerce emailed bank presidents and CEO's informing them of the risks of ransomware and the purpose of the R-SAT. Because of the extreme impact that ransomware can have, they asked institutions to respond to their state IT examiner on or before January 31, 2021 with their plans for addressing the risk of ransomware, and whether that plan will include using the R-SAT or using another tool. They also stated they will begin to discuss the R-SAT with bank management when conducting future IT exams.
Texas
The Texas Department of Banking will contact state regulated institutions during the first half of 2021 to discuss their progress with the R-SAT. In addition, IT examinations scheduled during the first half of 2021 will include a review of the financial institution's completed R-SAT.
https://www.dob.texas.gov/sites/default/files/files/news/Industrynotices/in2020-13.pdf
Washington
The Washington State Department of Financial Institutions sent a notice to all state chartered financial institutions which stated, "one of our IT specialists examiners will be contacting you during the first half of 2021 to discuss your progress in implementing ransomware mitigation measures... If your financial institution is scheduled for an IT examination after the first of the new year, we will review your completed R-SAT during the upcoming examination." In addition, the notice stated they are working with the US Treasury Department to schedule voluntary tabletop exercises in the coming months.
West Virginia
The West Virginia Division of Financial Institutions (WVDFI) sent an email to state financial institutions offering the tool due to the rapid advancements in ransomware and potentially devastating consequences which require financial institutions to be vigilant. They suggest one of the greatest concerns is an increase of attacks on Managed Service Providers (MSP's) which many banks in WV utilize. They state that the tool is not mandatory, but they believe using the ransomware self-assessment tool may help WV institutions be more resilient to ransomware attacks and prevent any disruption to operations by implementing necessary detective and preventative measures against this very real threat. They also state institutions should expect this to become a regular topic of discussion during future IT examinations.
Wisconsin
The Wisconsin Department of Financial Institutions (DFI) sent an email to Wisconsin Banking Executives encouraging state charted financial institutions to complete the tool as soon as possible. In addition, they state they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
Update log:
- This article was created on November 20th, 2020 to focus on the state announcements. Other R-SAT details can be found on our Ransomware Self-Assessment Tool (R-SAT): What Banks and Credit Unions Need to Know article.