On Tuesday, October 24, 2023, the state bank regulators (CSBS), Bankers' Electronic Crimes Task Force, and United States Secret Service published an updated version of the Ransomware Self-Assessment Tool (R-SAT). In this blog, we'll discuss what the R-SAT is, what got updated, and what you need to do about it.
About the R-SAT 2.0
The first version of the R-SAT was published in October 2020. You can learn more about the tool's origins in our blog: Ransomware Self-Assessment Tool (R-SAT): What Banks and Credit Unions Need to Know.
The updated R-SAT 2.0 is a 20-question self-assessment. It was created to help financial institutions manage risks associated with the evolving threat of ransomware. The tool is designed to provide guidance and highlight any potential gaps in a business' cybersecurity program.
Lessons Learned Report
Along with the updated R-SAT 2.0, the Conference of State Bank Supervisors (CSBS) published a report on Ransomware Lessons learned by Banks that Suffered an Attack. The report provides a summary of findings gathered from multiple state banking departments across the United States. These departments conducted an extensive study on ransomware incidents that affected state-chartered banks and credit unions.
The report highlights the following key insights:
- Most victims identified in the study did not use the R-SAT to mitigate ransomware risks prior to the incident, but all victimized institutions began using it fully after the incident.
- Multi-factor authentication (MFA) can help to mitigate ransomware risk if properly configured and implemented.
- Effective monitoring of "hyper-local," as well as traditional social media, is necessary to manage misinformation and maintain customer confidence during an incident.
The agencies integrated lessons learned from these findings into the R-SAT 2.0 updates.
The R-SAT 2.0 Update
The new version of the R-SAT maintains the same overall appearance and format as Version 1.0. It also continues to adhere to the NIST Cybersecurity Framework (CSF). A lot of the content should look familiar, but it was expanded from 16 to 20 questions.
Here is a summary of some significant changes you can expect to see in R-SAT 2.0.
- Multi-Factor Authentication (MFA): There are several new updates about MFA in R-SAT 2.0, including a new sub-question addressing application-based and phishing-resistant MFA methods; expanded options regarding the use of MFA applications; and a new sub-question to help identify areas where MFA implementation might be lacking or deferred. While MFA is essential for security, the R-SAT 2.0 updates show MFA can be most effective when businesses deploy the right authentication features in the right ways.
- International Data Management: A new question was added to address data management, particularly for cloud-based data located outside the United States. This consideration is important as the data may fall under the jurisdiction of privacy regulations imposed by other countries.
- Employee Awareness & Security Training: The updates in this section include detailed information about the types of training provided to employees; new sub-questions to assess the frequency of training; the use of phishing test results; and employee briefings on emerging ransomware threats.
- Cyber Insurance: The update includes a checklist of services available through cyber insurance policies and a new sub-question prompting institutions to consider whether certain third parties are pre-approved by the insurance provider.
- Ransomware Threat Remediation: The update introduces a new sub-question aimed at identifying any ransomware threats and risks revealed during risk assessments that have not been adequately mitigated to an acceptable level of risk. Using R-SAT 2.0 is a step in recognizing vulnerabilities and efficiently mitigating the risks associated with ransomware.
- Preventative Controls: The update places emphasis on security practices such as patch management, controlling removable media use, and altering default hardware and software settings. Additionally, it advocates for the implementation of jump boxes (bastion hosts) or administrative VLANs to enhance network security. It also points out the importance of having well-defined procedures for resetting or replacing user authentication credentials.
- Social Media: The R-SAT 2.0 also encourages social media monitoring for public awareness, highlighting the importance of proactively managing a presence on various platforms, including "hyper-local" ones (e.g., Nextdoor, Facebook Neighborhoods, Citizen, etc.). If negative information about the institution surfaces on these platforms, the potential impact can be harmful to customer confidence and brand reputation even after the incident is resolved.
By considering and adopting these updates, financial institutions can take a significant step towards a safer, more secure future, benefiting not only individual institutions but also the greater financial industry.
R-SAT 2.0 Frequently Asked Questions (FAQ)
Q: Is the R-SAT 2.0 required?
A: Certain state regulatory authorities are already encouraging completion of R-SAT 2.0 before upcoming examinations (e.g., California, Texas, etc.). While it is up to your regulators to determine if the R-SAT is "required," it is a helpful tool, and we recommend completing it (as a best practice) to assess your preparedness for ransomware. If you have questions about if the R-SAT 2.0 is required, check with your state regulator.
Q: How long does it take to complete the R-SAT 2.0?
A: If you have all the answers on-hand, you could probably fill out the R-SAT 2.0 document in a few hours. That said, it could take longer if you need to involve some of your third parties (e.g., managed service providers (MSPs), cloud service providers, insurance companies, consultants, etc.). It also depends on what you mean by "complete." You may find there are some controls listed on the R-SAT which your institution has not implemented. If this is the case, other stakeholders may need to be involved to determine how you plan to address those gaps. In short, the answer to this question ultimately comes down to your institution's size, risk, complexity, and current level of ransomware preparedness.
Q: How often should institutions fill out the R-SAT 2.0?
A: We recommend completing it at least annually, but review and make updates as changes occur at your institution. Think about reviewing and updating the R-SAT 2.0 if your control environment changes, if you start offering a new product or service, if you change relevant service providers, or if you have a ransomware incident.
For additional assistance with preventing, detecting, and responding to ransomware, check out Tandem. Tandem is a cybersecurity governance, risk management, and compliance (GRC) suite of web-based applications, designed to help financial institutions manage the risk of cyber threats.