On Tuesday, October 13, 2020, a Ransomware Self-Assessment Tool (R-SAT) was released to state-chartered financial institutions by the CSBS, BECTF, and USSS. Read this article to find answers to frequently asked questions about the R-SAT. Click the question below to jump to the related section.

What is the R-SAT?

The R-SAT is a 16-question self-assessment, in the form of a PDF document, created to help financial institutions reduce the risks of ransomware. It was specifically designed for state-chartered banks and credit unions. As a self-assessment, the R-SAT is different from an audit, a risk assessment, or a best practices document, but asks banks to consider aspects of each, as it relates to ransomware. According to the CSBS Press Release, "using the ransomware tool, a bank can assess its efforts to control and mitigate risks associated with the threat of ransomware and identify gaps that require increased security."

What is ransomware?

Ransomware is the combination of malware and a ransom heist. The malware encrypts data on a computer or network making it irrecoverable by the owner. Then attackers offer to give a decryption key in exchange for ransom. Even if the ransom is paid, it is not guaranteed that attackers will provide a decryption key.

Who wrote the R-SAT?

The Conference of State Bank Supervisors (CSBS) is the national organization of state financial regulators that come together to develop and publish guidance across the states. CSBS released the R-SAT to their state-charted financial institutions, citing that it was developed with the Bankers Electronic Crimes Task Force (BECTF), led by Texas Banking Commissioner, Charles Cooper, and the United States Secret Service (USSS). The BECTF is composed of U.S. community financial institution executives, state bank regulators (likely members of the CSBS), and other industry stakeholders. The United States Secret Service is a federal law enforcement agency that conducts criminal investigations and protects the nation's leaders.

Why was the R-SAT written?

Ransomware is a growing threat.

According to the cover letter distributed with the tool, the R-SAT was designed because, "Ransomware has become the most visible cyber threat to our nation's networks." According to the CSBS Press Release, "using the ransomware tool, a bank can assess its efforts to control and mitigate risks associated with the threat of ransomware and identify gaps that require increased security." In other words, the R-SAT was designed to help you look at your controls and risks from a new angle to see if there is anything you can do to improve your resilience to a ransomware attack. The way the assessment is written, the recommended controls are built-in to the questions.

Examiners want to talk to you about ransomware.

Based on what we see in the statements released by the various states, the R-SAT was also designed to create talking points between examiners and institutions for exams in 2021. There is no indication these talking points would necessarily be considered findings.

Regulators want to make sure you have strong backup practices and are using multi-factor authentication.

In the cover letter, a whole section is dedicated to the value of two controls that are "very important: strong backup practices and the use of Multi-Factor Authentication (MFA)." To be effective, ransomware needs to compromise administrative credentials. MFA makes this much more difficult to accomplish. In the event administrative credentials are compromised and ransomware does encrypt data, strong backup practices ensure you can restore data to a previously uncompromised point without having to pay the ransom.

Where can I get a copy of the R-SAT?

A copy of the R-SAT, the associated cover letter, and the press release can be downloaded from the CSBS website at: https://www.csbs.org/ransomware-self-assessment-tool.

Are banks and credit unions expected to complete the R-SAT? 

Each state has different expectations related to the R-SAT for state-regulated banks, credit unions, and other state-chartered financial institutions. Since the R-SAT was released by the CSBS, we expect all state-charted institutions will be contacted about completing it. See our article State Banking Departments Announce New Ransomware Assessment (R-SAT) for a list of states who have communicated expectations related to the R-SAT. 

If you are a nationally-chartered bank or credit union, we do not expect you will be asked to complete the R-SAT. However, we do believe completing the R-SAT is a helpful exercise you should consider.

How often should I complete the R-SAT?

It is currently unclear how often state-chartered institutions will be expected to complete the R-SAT. We are waiting on responses from regulators regarding this expectation. However, it is clear many regulators expect an initial assessment to be completed by early 2021.

Is there a right way to answer the questions?

The only "right" way to answer the questions is to answer them accurately. If you are a Tandem customer, we recommend you use the mapping document to help you quickly find the accurate answer to the questions. Access the mapping in Tandem by going to the Resources page.

There is no final rating you are trying to achieve, or specific answer set that gives you a passing grade. You will see several of the questions appear to be designed as though you should answer it "yes," such as questions about if you use certain controls. However, control implementation depends on the environment and compensating controls. Remember, this tool is primarily designed to draw attention to ransomware attacks and the controls which can protect against them.

Is there any education you can provide about each of the R-SAT questions?

On November 17th, 2020, Tandem hosted a webinar over the R-SAT. In this webinar, Russ Horn reviewed each question to discuss the expected purpose of the question and other interesting things to consider. If you would like to access the recording of this webinar, you can do so by going to: https://go.tandem.app/2020-ransomware-guidance.html.

Here are a few notes from the webinar about each question.

  • Question 1 asks about using a standard/framework for a comprehensive set of cybersecurity controls. We recommend you choose what works best for your size and complexity.
     
  • Question 2 asks if you have identified the controls from your standard/framework that have not been implemented. If you use the FFIEC CAT, you can see which baseline questions were answered as "no."
     
  • Question 3 asks about having cyber insurance. While the FFIEC does not require organizations to have cyber insurance, it can be helpful in the event of a ransomware incident. If you do not have a dedicated cyber insurance plan, consider checking with your insurance provider to determine if cyber events are covered by existing sections of your insurance policy (e.g., liability).
     
  • Question 4 asks you to document the location of your critical data, in-house or outsourced. It is important to know where your data is and who is responsible for it. This question also sets the tone for other questions on the R-SAT.
     
  • Question 5 asks about third-party vendors with remote access to the network and controls implemented for their networks. There was a huge attack on municipalities recently that was achieved through their MSP. The controls of your vendors are just as important as your own institution's controls.
     
  • Questions 6 and 7 ask about ransomware being included in your risk assessment and mitigation plans. The inclusion of these questions create an opportunity to educate management on how your information security and cybersecurity program works.
     
  • Question 8 asks about employee security awareness training. Ransomware training is about employees knowing what ransomware is and how to respond. We would expect that to be part of your incident response and annual information security awareness training. Phishing training is paramount and should be happening more than annually.
     
  • Question 9 asks about backup controls and includes an appendix to be able to log answers for any set of critical data. Certain backup controls may be managed by a vendor. If you do not know the answer to the items on this question, consider contacting your third party to determine how backups of your data are being performed. This information will be valuable in the event the vendor is compromised by a ransomware attack.
     
  • Question 10 asks which controls are implemented, with an emphasis on reducing the risk of ransomware. Notice the particular focus on MFA, as it has sub-options. We particularly emphasize the importance of the "eliminated administrative access to endpoints" control. When considering malware delivered through phishing, if the client is not an administrator, the malware will not be able to install.
     
  • Question 11 asks about the threat of ransomware being included in your incident response testing. States are already announcing resources which will be provided for this testing.
     
  • Question 12 asks about monitoring practices to detect potential ransomware attacks. For specific tools, contact your IT vendor. A data loss prevention program may seem out of place for ransomware, but it may be necessary as hackers are starting to run a double ransom scheme where they copy off the data and ask organizations to pay a second ransom for the data to not be distributed.
     
  • Questions 13 through 16 ask about details of the incident management process. If you are not currently following a framework for incident management, the NIST SP 800-61 framework is one comprehensive approach to incident response. If you're looking for a tool to help with incident management, check out the new Tandem Incident Management product.

How should I present the R-SAT results to executives?

As the goal of the R-SAT is to find gaps in ransomware controls, it could be beneficial to report what you found from the assessment regarding controls. Summarize what you have in place for preventing, detecting, and responding to ransomware. Then, present the items which are not currently in place that you would either recommend implementing or determine justification for not having those controls at this time. While this information could be reported separately, it could also be included when discussing information security and cybersecurity in regularly scheduled meetings.

Are there any changes I should make to my existing Information Security program in response to R-SAT?

The R-SAT is designed to bring attention to ways you can prevent and respond to ransomware. You should look into the recommended controls and determine if the control is implemented or not. If a recommended control does not currently exist in your security environment, you may wish to consider implementing the control and updating the related documentation in your Risk Assessment, Policies, Business Continuity Plan, Vendor Management, or Incident Management program.

Here are a few specifics you may consider:

  • Increase your phishing testing as it is a primary vector for ransomware to enter your network. If you are looking for a tool to help with administering phishing testing and training, check out Tandem Phishing.
     
  • Improve your incident management plan. If you do not currently have a way to handle incident management easily and accurately, consider using Tandem Incident Management .
     
  • Review your policy language to ensure it reflects specific controls and configurations covered in the R-SAT. See the question "What changes have been made to Tandem products to address the R-SAT?" to see what kind of changes we made to our policies.

What changes have been made to Tandem products to address the R-SAT?

We reviewed the Tandem commentary and consultative text to see what content could be improved to align with the topics addressed by the R-SAT. As the R-SAT reinforces existing concepts, we found very little needed to be updated. We made changes to five policies to better address controls that prevent ransomware.

If you are a Tandem Policies subscriber, check the Software Updates page for the full details of these changes (October 28, 2020) and instructions on how to accept the suggestions. If you are not a Tandem Policies subscriber, you may consider making similar updates to your Information Security policies. Here are the updates we made:

  • Updated "Insurance Coverage" policy to address cyber insurance considerations and make additional recommendations regarding insurance selection and review.
     
  • Updated "Administrators" policy and our "Cloud Computing" policy to explicitly define the use of multi-factor authentication (MFA), as it was one of the top two controls expressed in the R-SAT cover letter.
     
  • Updated "System Hardening" policy to make specific mention of disabling web browser and email client plug-ins.
     
  • Updated "Data Backup" policy to clarify that authentication expectations for individuals with access to backup systems, media, and/or data is strong and different from standard forms of authentication.

How can I document the R-SAT assessment in my current Tandem products?

If you use the Compliance Management product, we recommend creating an event for completing the R-SAT. When creating an event, you can document the details, assign responsibility and a due date, and upload a copy of the completed assessment.

If you use the Audit Management product and you find there are several improvements needed to your controls around ransomware, you could create an audit to list all the findings and use it to track how and when you are addressing each issue.

If you use the Policies product, you could attach a copy of the completed R-SAT to your Malicious Software Protection policy.

Will Tandem create a tool to help financial institutions complete the R-SAT?

It is our goal to improve security while easing the burden of regulatory compliance for our customers. As such, we have released a Tandem Mapping document for the R-SAT. This document can help current Tandem customers find the answers to the R-SAT questions within their Tandem products. Customers can access this document through the Resources page in Tandem.

Due to the nature and brevity of the R-SAT, we are unsure if creating an R-SAT product to document the questions and answers would be helpful to our customers, or if it would just make answering the assessment unnecessarily complex. We will continue to evaluate client and industry feedback to determine if developing an R-SAT tool would be beneficial to the end-user and if it should be part of future Tandem strategy. If you are interested in Tandem creating a tool, please contact info@tandem.app with answers to the following questions.

  • If Tandem did provide a tool for the R-SAT, what features would you expect or like to see?
  • Would you expect to be able to download the R-SAT in its current PDF layout, or would another format be acceptable (e.g., Word Document, Excel Spreadsheet, etc.)?
  • When are you planning to complete the R-SAT?
  • If you already have completed the R-SAT, about how long did it take to complete? Do you think a Tandem tool would help improve this process' efficiency? If so, why?
  • Do you plan to complete the R-SAT more than once? If so, how often do you anticipate you will review or complete it?

Update log:

  • This article was updated on November 20th, 2020 to include detailed questions and answers from the webinar presented on November 17th, 2020.It was also updated to move the list of state announcements to a separate article.
  • This article was updated on November 19th, 2020 to include Alabama's, Iowa's, Kansas's, Maine's, Michigan's, and West Virginia's response to the R-SAT as well as a recent update in Ohio's response to the R-SAT.
  • This article was updated on November 18th, 2020 to include Maryland's response to the R-SAT.
  • This article was updated on November 10th, 2020 to include Ohio's response to the R-SAT.
  • This article was updated on November 5th, 2020 to include Washington's response to the R-SAT.
  • This article was updated on November 2nd, 2020 to include an update in Tandem's response to the R-SAT.
  • This article was updated on October 26th, 2020 to include Georgia's response to the R-SAT.
  • This article was updated on October 21st, 2020 to include Arkansas' response to the R-SAT.
  • This article was updated on October 20th, 2020 to include additional information about Ransomware and answer questions regarding Tandem product updates. 
  • This article was updated on October 19th, 2020 to include Minnesota's response to the R-SAT.
  • This article was updated on October 16th, 2020 to include Massachusetts' response to the R-SAT.