On Tuesday, October 13, 2020, the Conference of State Banking Supervisors (CSBS), in conjunction with the Bankers Electronic Crimes Task Force (BECTF) and the U.S. Secret Service, issued a Ransomware Self-Assessment Tool (R-SAT) designed for state-chartered banks and credit unions. 

What is the R-SAT? 

The R-SAT is a 16 question self-assessment designed to help financial institutions reduce the risks of ransomware. The tool was developed by a national task force led by Texas Banking Commissioner Charles Cooper and consisting of community bankers, state bank regulators, law enforcement, and other industry stakeholders. According to the CSBS Press Release, "using the ransomware tool, a bank can assess its efforts to control and mitigate risks associated with the threat of ransomware and identify gaps that require increased security." 

What is Ransomware? 

According to the R-SAT, "Ransomware is a type of malicious software (malware) that encrypts data on a computer, making it difficult or impossible to recover. The attackers usually offer to provide a decryption key after a ransom is paid; however, they might not provide one or it might not work if provided, which could make the financial institution's critical records unavailable. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations." 

What does this mean for banks and credit unions? 

The R-SAT is an excellent tool for any financial institution to use when evaluating the organization's current security posture, as it relates to ransomware, as well as identify potential areas for improvement. Each state will have different expectations related to the R-SAT for regulated banks, credit unions, and other state-chartered financial institutions. Below is a list of states who have published statements related to the R-SAT. 

Arkansas
The Arkansas State Banking Department is strongly encouraging state banks to complete the tool as soon as possible and to submit completed questionnaires to the State Banking Department at asbd@banking.state.ar.us by March 31, 2021. In addition, IT examinations scheduled between now and the end of the second quarter 2021 will include a review of the completed R-SAT. Also, they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff.
 
 
Hawaii 

Bank regulators in Hawaii are working with the U.S. Department of the Treasury to schedule tabletop exercises around ransomware in the coming months for bank CEOs and members of their technical staff.

http://cca.hawaii.gov/blog/release-self-assessment-tool-available-for-banks-to-battle-ransomware/ 

Massachusetts
Massachusetts joined other state and federal agencies in announcing the R-SAT for mitigating the risks of ransomware. 

 
Minnesota
The Minnesota Commerce Department encourages state financial institutions to complete the R-SAT tool as soon as possible. In addition, they are working with the US Treasury Department to schedule tabletop exercises in the coming months for bank CEOs and a member of their technical staff. 
 
 
Texas 

The Texas Department of Banking will contact state regulated institutions during the first half of 2021 to discuss their progress with the R-SAT. In addition, IT examinations scheduled during the first half of 2021 will include a review of the financial institution's completed R-SAT. 

https://www.dob.texas.gov/sites/default/files/files/news/Industrynotices/in2020-13.pdf

Are there any changes I should make to my existing Information Security program in response to R-SAT? 

The R-SAT is designed to bring attention to ways you can prevent and respond to ransomware. Look into the recommended controls and determine if the control is implemented or not. If a recommended control does not currently exist in your security environment, you may wish to consider implementing the control and updating the related documentation in your Risk Assessment, Policies, Business Continuity Plan, or Vendor Management program. 

In response to R-SAT, Tandem is reviewing product commentary and consultive text to see where updates might be helpful. If changes are made, they will be announced to customers through the software update notification process. Confirm you are subscribed to receive software update notifications via the Your Account page in Tandem. 

Join us for a webinar about the R-SAT on November 17th to learn more about the tool and how Tandem can help.

Will Tandem create a tool to help financial institutions complete the R-SAT? 

At Tandem, it is our goal to improve security while easing the burden of regulatory compliance for our customers. As such, we are currently working to release a Tandem mapping document for the R-SAT. This document will help current Tandem customers find the answers to the R-SAT questions within their Tandem products.   

Due to the nature and brevity of the R-SAT, we are unsure if we will be creating an R-SAT product to document the questions and answers. We will continue to evaluate client and industry feedback to determine if developing an R-SAT tool would be beneficial to the end-user and if it should be part of future Tandem strategy. 

Join us for a webinar about the R-SAT on November 17th to learn more about the tool and how Tandem can help. 

Update log: 
  • This article was updated on October 21st, 2020 to include Arkansas' response to the R-SAT.
  • This article was updated on October 20th, 2020 to include additional information about Ransomware and answer questions regarding Tandem product updates. 
  • This article was updated on October 19th, 2020 to include Minnesota's response to the R-SAT.
  • This article was updated on October 16th, 2020 to include Massachusetts' response to the R-SAT.

For any updates or corrections to state expectations, please email info@tandem.app.