CSBS Issue Talking Points - March 2021

CSBS Issue Talking Points

March 19, 2021

These issue briefings provide CSBS talking points and positions on a range of issues. They are provided as a guide when discussing these issues with external audiences. They are intended to be used for background purposes and are not for distribution. For questions, please contact: Jim Cooper, Executive Vice President of Policy & Supervision JCooper@csbs.org (202) 808-3557

Cybersecurity: Nonbanks

CSBS Position The rise of nonbank cybersecurity risk is a concern to state regulators because of the potential harm to consumers and institutions. As a result of this concern, nonbank cybersecurity supervision was approved as a high priority by the CSBS Board of Directors in March 2018 and is included in the 2021 Networked Supervision priorities. The board also approved various initiatives to support this position that include the development of a nonbank cybersecurity exam program, cybersecurity and IT examiner training and a model data security law. Summary Several trends occurring in the nonbank financial services industry are increasing the need for robust cybersecurity and IT policies: a greater use and reliance on technology, nonbanks obtaining a larger percentage of industry market share, and the possession of an ever-growing amount of consumer and business data. As these trends grow, so do the number and sophistication of cybersecurity attacks. According to recent congressional testimony, in the first five months of 2020, cyberattacks against the American financial sector increased by 238%. In response to these trends, state regulators have issued and continue to develop supervisory solutions to ensure nonbank financial institutions have robust cybersecurity policies in place. Solutions available to state regulators include: • Baseline Nonbank Cybersecurity Exam Program: Focused on the critical parts of a cybersecurity program and was created to provide regulators a tool to examine the smaller, less complex nonbank institutions. • Enhanced Nonbank Cybersecurity Exam Program: A tool to examine the larger nonbank institutions and can be customized based on a set of core controls. An updated exam program will be released in early 2021. • CSBS Model Data Security Law: CSBS approved model statutory language to be used by state regulators wishing to address nonbank data security (cybersecurity). • Nonbank Ransomware Self-Assessment Tool (RSAT): A ready-to-use tool to assess an organization’s efforts to control and mitigate risks associated with the threat of ransomware. Why It Matters to State Regulators As the primary regulator of nonbank financial institutions, state regulators have a responsibility to ensure these entities have robust cybersecurity policies and procedures. A security breach at a nonbank financial institution would lead to a loss of consumer information, disruption in business activities, and creates a reputational risk to state regulators. A high-profile security breach of a nonbank institution could also lead to calls for federal preemption.

Talking Points

• Nonbank cybersecurity supervision was approved as a high priority by the CSBS Board of Directors in March 2018. It is also included in the 2020 – 2023 CSBS Strategic Plan.

FOR STATE REGULATOR USE ONLY

• Robust cybersecurity and IT policies in the nonbank financial services industry are crucial in protecting companies and their customers. The need for these policies will only continue to grow. • State regulators have developed several tools (listed above) to ensure nonbank entities have the proper policies in place. • The risks of a cybersecurity breach include the loss of consumer information, disruption to business activities, reputational risk to state regulators and possibly federal preemption.

SME Contact: Mike Bray, Manager, Nonbank Supervision: 202.559.1953 or MBray@csbs.org Date Updated: 01/14/2021

FOR STATE REGULATOR USE ONLY

Innovation

CSBS Position The U.S. financial services marketplace is one of the most innovative and competitive in the world. State-regulated nonbank financial companies are responsible for the most significant financial innovations of the past 25 years, from mobile payments and online lending to electronic mortgage applications. States are well positioned to shepherd the innovations of the future with a regulatory approach that encourages diversity in size and scope, a commitment to streamlining licensing and reducing regulatory burden and an enthusiasm for enabling responsible innovation that benefits consumers and local economies alike. Summary State regulators have pioneered the adoption of new regulatory technology and implemented innovative new cooperative agreements to reduce regulatory burden and streamline the licensing process for companies while creating supervisory efficiencies for regulators. Why It Matters to State Regulators Supporters of preemption and the OCC’s fintech charter often cite innovation and the need for more products and services for underserved consumers as reasoning for preemption. Supporters claim that state regulation hinders innovation. The reality is that states are laboratories of innovation and the state system is directly responsible for much of the financial services innovation that we see today. The state system encourages new entrants and enables them to scale quickly, creating an innovation and competitive nonbank marketplace. • States support a diverse range of business models in financial services by aligning companies’ underlying business activity – rather than technology – with existing state law. • As of Q2 2020, 129 state-licensed companies who file the Money Service Business (MSB) Call Report met the CSBS definition of a fintech company (multiple state licenses with two or fewer physical locations). • In 2020, 75 companies acquired their first money transmission license via the state nonbank licensing platform, the Nationwide Multistate Licensing System (NMLS). Today, 52 of those companies are licensed in only one state, 14 are now licensed in two to nine states, and another 9 are licensed in 10 or more states. • State regulators protect consumers when companies exit the market. 35 companies that held money transmitter licenses in 2019 are no longer licensed, generating few headlines and little to no customer impact. • In 2019, the six largest money transmitters moved 70% ($915 billion) of the industry’s funds, leaving more than 275 other companies competing for the remaining 30%. 200 of those 275 companies make up the last 1% of the market. • In 2019, the largest 10 mortgage companies were responsible for 24.4% of the market ($314 billion). The top 100 companies were responsible for 53.8% ($694 billion). Total volume in 2019 was $1.29 trillion, leaving $598 billion in volume for the remaining 13,114 companies. Talking Points

FOR STATE REGULATOR USE ONLY

State collaboration and advancements in technology are making the state system more effective and reducing regulatory burden. • States are implementing a series of industry recommendations as part of CSBS’s Vision 2020 initiative, including the Multistate Money Services Businesses Licensing Agreement (MMLA), which streamlines the money transmitter licensing process among 27 states, and MSB Networked Supervision, which will allow 75+ MSBs to operate nationwide with just one comprehensive exam starting in 2021. • States are building on the success of Vision 2020 to create a new approach to regulation called Networked Supervision that leverages technology, data and states’ collective knowledge to strengthen consumer protection and drive local and state economic growth. • The state system developed the NMLS in 2008 to license all nonbank mortgage and many other financial services. The NMLS is so effective that the CFPB also uses it to register mortgage professionals working in banks and credit unions. • A new regulatory platform built by the states, called the State Examination System, facilitates state interaction with license holders and fellow states through robust data management, risk scoping, collaboration tools and more. States are finding new ways to encourage responsible innovation in a rapidly changing financial services sector. • States have dramatically ramped up their engagement with fintech companies. To simplify fintechs’ licensing process, every state in the country named an innovation point-of- contact for money transmission, payments and lending. • States are building on this engagement, including the Illinois Department of Financial and Professional Regulation which established an Office of Innovation, and the Massachusetts Division of Banks which hosts regular webinars to discuss emerging fintech issues and offers Fintech Innovation Hours for banks and fintech firms to discuss financial technology with the Division’s leaders. • States are connecting virtual currency firms with consumers. In September, the Wyoming Division of Banking issued its first Special Purpose Depository Institution (SPDI) charter. The charter allows virtual currency firms to take deposits and conduct certain fiduciary activities. SPDIs are prohibited from making loans with customer deposits of fiat currency and therefore are not required to be FDIC insured. • States issue stand-alone virtual currency business licenses. The New York State Department of Financial Services has granted 25 virtual currency licenses since it introduced virtual currency regulation in June 2015, and Louisiana will soon begin issuing licenses pending the finalization of rules. The NYDFS has also proposed a conditional licensing framework for virtual currency that would allow new entrants to begin operating in the state by partnering with a current licensee. • States are enabling regulator-fintech collaborations. Through programs like the Independent Community Bankers of America and Little Rock Venture Center’s ThinkTech Accelerator program, and New York Department of Financial Services’ techsprint, state regulators are helping financial institutions, regulators and fintech firms work collaboratively to engineer new services and achieve accurate, real-time compliance validation.

FOR STATE REGULATOR USE ONLY

SME Contact: Laura Fisher, Vice President, Communications: 202.360.4918 or LFisher@csbs.org Date Updated: 01/14/21

FOR STATE REGULATOR USE ONLY

LIBOR Transition

CSBS Position Financial institutions should be prepared for the end of the London Inter-bank Offered Rate (LIBOR) by stopping the use of LIBOR in new transactions after Dec. 31, 2021. All contracts that reference LIBOR should have fallback language for when LIBOR is no longer available. Summary U.K. and U.S. regulators have announced that LIBOR will no longer be published after June 30, 2023. Financial institutions should have prepared for that event well in advance of the end date by identifying and quantifying all uses of LIBOR and remediating any contracts as necessary. The U.S. bank regulators have announced that all financial institutions should stop using LIBOR in new transactions as soon as practicable and in any event by Dec. 31, 2021 to avoid risks to safety and soundness. New contracts written before Dec. 31, 2021 should either use a reference rate other than LIBOR or have robust fallback language that includes a clearly defined alternative reference rate after LIBOR’s discontinuation. Why It Matters to State Regulators LIBOR is used in many financial products, from adjustable-rate mortgages to trust preferred securities. Institutions will need to work with counterparties and service providers to avoid operational, financial, and consumer protection risks. Litigation and reputation risk could be substantial for an institution that does not adequately prepare. CSBS has issued three LIBOR fact sheets: • Fact Sheet, June 2018 raises awareness of the issue • Fact Sheet II, February 2019 discusses fallback language and AARC activities • Fact Sheet III, October 2019 includes a checklist for financial institutions and a companion job aid for examiners to use when evaluating how an institution is managing the transition Timeline • The Financial Stability Oversight Council recommended that regulators and market participants identify alternative benchmarks in 2014, and the Alternative Reference Rates Committee (ARRC) was established in response. • The Future of LIBOR speech by Andrew Bailey of the UK Financial Conduct Authority (FCA) in July 2017 announced the end of LIBOR www.fca.org.uk/news/speeches/the-future-of-libor • FFIEC issued a statement July 2, 2020 that highlights the risks that will result from the transition away from LIBOR, and encouraged supervised institutions to continue their efforts to transition to alternative reference rates in order to mitigate risks • The UK authority that publishes LIBOR - the Intercontinental Exchange (ICE) - announced on Nov. 30, 2020 its intention to cease the publication of one week and two-month LIBOR on Dec. 31, 2021. The other tenors of U.S. dollar LIBOR: overnight and one, three, six and twelve- month US dollar LIBOR will continue to be published until June 30, 2023. • Also on Nov. 30, 2020 the ICE Benchmark Administration (IBA) and the FCA issued announcements about the proposed path forward for the transition away from U.S. dollar

FOR STATE REGULATOR USE ONLY

LIBOR. This was accompanied by an associated statement by the International Swaps and Derivatives Association (ISDA) . • ICE also announced its intention to end the publication of all GBP, EUR, CHF and JPY LIBOR settings on Dec. 31, 2021. The consultation on these intentions is open for feedback until Jan. 31, 2021. The ICE Benchmark Administration will make statements about these intentions after the consultation is closed. • The Federal Reserve, FDIC and OCC issued a statement on Nov. 30, 2020 referencing the ICE consultation and urging that all institutions stop writing contracts that use U.S. dollar LIBOR as soon as possible, but in any event by Dec. 31, 2021. The extension of LIBOR publication until June 30, 2023 would allow for some legacy contracts written using LIBOR to mature before publication ends. Reference Material 1. ARRC website www.newyorkfed.org/arrc 2. SOFR website https://apps.newyorkfed.org/markets/autorates/sofr 3. FCA website www.fca.org.uk/ 4. ICE website https://ir.theice.com/home/default.aspx SME Contact: Daniel Berkland, Director, Supervisory Processes: 202.559.1987 or DBerkland@csbs.org Date Updated: 12/17/2020

FOR STATE REGULATOR USE ONLY

MSB Federal Legislation

CSBS Position CSBS opposes any federal legislation that would create a national licensing structure for money services businesses (MSBs) under a federal regulator. CSBS supports an alternative under which the regulatory authority over the licensing and supervision of MSBs remains with the states supported by a backup federal regulator. Summary Currently, state regulators oversee a robust system of MSB supervision and continue to work towards a streamlined licensing structure. State supervision involves the licensing, examination, enforcement and complaint handling for nearly 300 money transmitters that are responsible for $1.4 trillion in activity annually. The states focus their regulatory oversight on consumer protection, safety and soundness and adherence to Bank Secrecy Act and Anti-Money Laundering (BSA/AML) requirements. In the past few years, states have made significant strides towards harmonization and consistency of MSB licensing and supervision. The states launched the State Examination System (SES) and expanded the use of Nationwide Multistate Licensing System (NMLS) to better coordinate decisions and reduce regulatory burden. The Multistate MSB Licensing Agreement (MMLA) allows a money transmitter to submit a single application to a participating MMLA state and receive licenses from all MMLA participants. Additionally, the states implemented One Company One Exam in which a single multistate examination of a nationwide payments firm satisfies all state examination requirements. Finally, the states developed a MSB Model Law to provide consistent approaches and statutory language for licensing requirements. All of these initiatives strive towards an effective and efficient process of state MSB supervision. As discussion of a national licensing structure looms, the states propose an alternative federal solution that incorporates the provisions outlined in the MSB Model Law and retains the basic structure of the SAFE Act. These provisions establish federal ceilings in notable problem areas for industry and Congress while creating federal floors for other areas in which the states can make individual determinations. Under this proposal, individual states would have two years to pass the law or risk oversight from a federal regulator. This proposal allows the states to preserve its supervisory and regulatory authority over MSBs while receiving additional support from a backup federal regulator. The purpose of this alternative remains to demonstrate state cohesion of interpretation, supervision, regulation, and licensing of money services businesses at the federal level. Why It Matters to State Regulators The states have held exclusive prudential jurisdiction over MSBs for over a hundred years. Federal preemption of this state authority would undermine consumer protection, stifle innovation and mitigate the applicability of sound state money transmission laws. The states continually strive to harmonize their laws and standards to provide consistent supervision for MSBs. The states’ ability to adapt with the evolving nature of technology and consumer preferences ensures the safe and sound supervision of MSBs. Talking Points • The local and unique perspective of the states allow them to respond quickly to emerging risks in the evolving and innovative MSB space.

FOR STATE REGULATOR USE ONLY

• The states continually make efforts to improve and harmonize the state regulatory system through SES, the MMLA, the MSB Model Law and the Multistate MSB Examination Taskforce. • State MSB supervision requires strict consumer protection standards that prevent the occurrence of risky and unsafe business practices. • Federal preemption of state supervisory authority over MSBs will inhibit the states from enforcing their own laws governing licensure, examination, and enforcement on national licensees. • The alternative proposal for federal legislation preserves state regulatory authority and follows the successful structure of the SAFE Act utilized by mortgage loan originators across the nation. • The two-year implementation period provides sufficient time for states to adopt the requirements and appeases Congress’ desire for a swift solution. SME Contact: Camille Polson, Analyst, Policy Development: 202.407.7165 or CPolson@csbs.org Date Updated: 1/15/2021

FOR STATE REGULATOR USE ONLY

NMLS Modernization

CSBS Position CSBS is committed to providing state regulators with robust tools and technology that will enable them to manage nonbank supervision more efficiently. As the nonbank financial services industry continues to grow, the need for more sophisticated, data-driven technology systems is vital. Building a modernized Nationwide Multistate Licensing System (NMLS) will help us accomplish this goal as we drive toward Networked Supervision. Summary The next generation nationwide multistate licensing and supervisory technology system is being developed to anticipate and accommodate the evolving needs of the state system of financial regulation. CSBS’s goal is to build a new system that: • Empowers state authority through data-driven solutions • Promotes efficient operations and networked supervision among regulators • Creates an optimized user experience The modernized NMLS will employ a new licensing requirements framework that creates efficiencies for both state regulators and industry and supports Networked Supervision. With this new framework, state regulators will move away from managing the licensing process based on state-specific requirements and instead follow agreed upon standard requirements. This standardized approach will be established and implemented first for the money services businesses industry (MSB). The debt, consumer finance and mortgage industries will transition to the modernized NMLS in phases. The modernized NMLS will be data-driven. The new system will use data and analytics to automate processes, identify risks, prioritize resources, and provide reports and visualizations for decision making. This functionality will also allow states to manage annual license renewals based on exceptions and risks. In addition, the State Examination System will share and coordinate examination schedules to limit examinations through multiple agency participation or post-examination sharing. Development for the modernized NMLS will begin in 2021. Why It Matters to State Regulators State regulators are the primary stakeholders of the modernized NMLS. State regulators, with CSBS support, will take the lead in determining and adopting standard requirements for the new licensing framework. State regulators will also drive internal changes to their existing licensing process and may influence changes to their state laws in preparation for a modernized NMLS. Consistent with networked supervision, the new NMLS will: • Include a single source of standardized data that all regulators require • Support interdependent reviews by state agencies based on uniform standards that allow agencies to rely on another agency’s work • Use common nationwide licensure and compliance thresholds by industry Talking Points • A modernized NMLS will have several benefits for both state regulators and industry. State agencies will experience greater operational efficiencies, including the ability to rely on another

FOR STATE REGULATOR USE ONLY

agencies’ work, while industry will have a more streamlined, user-focused experience as they go through the state licensing process. • Development for the modernized NMLS will begin in 2021. Development efforts will focus initially on the MSB industry, which will be the first industry to transition to the modernized NMLS. • CSBS staff will support state regulators as they collaborate to establish, define and implement standardized licensing requirements that will drive how the licensing process is managed in the modernized NMLS. • CSBS staff will conduct a state agency outreach effort to gain agency commitments to agree to adopt MSB industry licensing requirements based on an MSB Model Law, which will follow a national standard. This outreach effort will be similar to activities that led to state agency commitments to adopt the current NMLS. SME Contact: Vonnetta Cornish, Senior Manager, NMLS Communications: 202.728.5752 or VCornish@csbs.org Date Updated: 1/13/2021

FOR STATE REGULATOR USE ONLY

Paycheck Protection Program

CSBS Position State-chartered banks are on the front lines of Paycheck Protection Program (PPP) lending and the economic recovery from the COVID-19 pandemic. Since its inception, state regulators have supported the PPP by sharing feedback collected from supervised institutions with the Treasury Department and Small Business Administration (SBA). Summary In April 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) created the SBA PPP to provide short-term, low-interest loans that could be forgiven under specified circumstances to certain small business and nonprofits. Congress initially authorized $349 billion for SBA 7(a) loans, including PPP loans, which were available through June 30, 2020. Lending began on April 3, and the initial authorization was exhausted by April 16. On April 24, Congress authorized another $310 billion ($659 billion total) for 7(a) loans— including PPP loans—in the Paycheck Protection Program and Health Care Enhancement Act. The law authorized the issuance of new PPP loans with an additional $659 billion for PPP loan commitments and $30 billion for 7(a) loan commitments. At the end of the initial PPP rounds on Aug. 8, 2020, the SBA had approved over 5.2 million PPP loans, totaling more than $525 billion. In January 2021, SBA began another round of PPP with $284 billion in loans available to small businesses. The new round of PPP allows certain existing PPP borrowers to apply for a Second Draw PPP loan. The new legislation allows PPP loans to cover additional expenses, including operations expenditures, property damage costs, supplier costs and worker protection expenditures. A borrower is generally eligible for a Second Draw PPP Loan if the borrower: • Previously received a First Draw PPP Loan and will or has used the full amount only for authorized uses; • Has no more than 300 employees; and • Can demonstrate at least a 25% reduction in gross receipts between comparable quarters in 2019 and 2020. Why it Matters to State Regulators With the economy reeling from the pandemic and its associated lockdowns, PPP has injected a much- needed boost to struggling businesses and their local communities. CSBS analysis of the PPP shows that community banks (using the FDIC definition) had a disproportionately greater share in lending to small businesses than their larger and more complex counterparts. Community banks’ participation in the PPP was higher, they made more loans as a share of assets, they likely made more loans to smaller businesses that employ fewer workers, and they made more loans per bank employee. Talking Points • The PPP program has been one of the most successful stimulus programs in our country’s history and may need even more support based on the success of the vaccine rollout.

FOR STATE REGULATOR USE ONLY

• Community banks’ participation in the PPP was higher, they made more loans as a share of assets, they likely made more loans to smaller businesses that employ fewer workers, and they made more loans per bank employee. • Throughout PPP, state regulators have served to collect feedback from industry about problems with program and report them to Treasury/SBA. SME Contact: Joey Samowitz, Policy & Supervision Analyst: (202) 559-1978 or jsamowitz@csbs.org Date Updated: 1/15/2021

FOR STATE REGULATOR USE ONLY

Ransomware

CSBS Position Ransomware has become the most visible cyber threat to our nation’s networks. While financial institutions have implemented good cybersecurity practices, the rapid advancements in ransomware and its potentially devastating consequences require that every financial institution review and update its controls. We continue to work with the state regulators and industry to ensure that resources are made available to assist with mitigating this risk. CSBS has partnered with the U.S. Secret Service and Bankers Electronic Crimes Taskforce to issue ransomware self-assessment tools for state regulators to share with banks/nonbanks they supervise. Summary During 2020, ransomware events shifted from encrypting data in place to include exfiltration and public shaming to ensure payment. CSBS initiated a Ransomware Campaign that consisted of three goals: 1. Issue tools for state bank regulators 2. Provide tools to improve community banking industry security against ransomware 3. Host tabletop exercises for industry In May 2020, CSBS issued a Ransomware Playbook for state bank regulators to assess a ransomware event impacting one of their supervised institutions intended as a resource to allow state regulatory staff to collect appropriate information and document the situation. The playbook is an assessment tool for senior staff or lead IT Examiners when an institution reports a ransomware event. In October 2020, CSBS joined with the Bankers Electronic Crimes Task Force and the U.S. Secret Service issued a Self-Assessment Tool (R-SAT) in an effort to help mitigate ransomware attacks. The R-SAT has 16 questions designed to help financial institutions assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. The document provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding and recovering from a ransomware attack. In December 2020, CSBS and the U.S. Secret Service issued a similar self-assessment resource for nonbank financial institutions. Why It Matters to State Regulators State regulators offered this tool because the rapid advancements in ransomware and potentially devastating consequences to their financial institutions. There is no single measure to prevent successful ransomware attacks. It requires strong adherence to fundamental cybersecurity controls but, some measures are very important: strong backup practices and the use of Multi-Factor Authentication. Talking Points • Incidents of ransomware across industries have been on the rise and appear to be spreading. One global cyber insurer reported 775 ransomware incidents for its U.S. customers in 2019, representing a 131% increase from the year prior. Eleven percent of those customers were financial institutions.

FOR STATE REGULATOR USE ONLY

• By using the R-SAT, an institution (bank or nonbank) can assess its efforts to control and mitigate risks associated with the threat of ransomware and identify gaps that require increased security. SME Contact: Mary Beth Quist, Senior Vice President, Bank Supervision: 202.728.5722 or mbquist@csbs.org Date Updated: 1/12/2021

FOR STATE REGULATOR USE ONLY

Solar Winds

Summary A sophisticated supply chain attack occurred through the compromise of SolarWinds’ IT monitoring and management products. The compromise of the SolarWinds Orion platform became public on Dec. 13, 2020, although it began at least as early as March. The affected versions of SolarWinds products were downloaded at several U.S. government agencies, critical infrastructure entities and private sector organizations; the breach impacted up to 18,000 client organizations, including at least eight government agencies and major firms like Microsoft. The threat actor has been identified as an Advanced Persistent Threat actor of Russian origin that has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. The attack appears to be an intelligence gathering effort. The threat actor compromised the SolarWinds Orion product by adding a malicious version of the software into the SolarWinds update cycle. FireEye has named this version SUNBURST. This software was modified to include malware and distributed between March and June 2020 as trusted software updates from the company. The following SolarWinds products were compromised and used as initial access vectors https://us- cert.cisa.gov/ncas/alerts/aa20-352a: o Orion Platform 2019.4 HF5, version 2019.4.5200.9083 o Orion Platform 2020.2.RC1, version 2020.2.100.12219 o Orion Platform 2020.2.RC2, version 2020.2.5200.12394 o Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 o Orion Platform 2020.2 HF1, version 2020.2.5300.12432 Why it Matters to State Regulators The Cybersecurity & Infrastructure Security Agency (CISA) has determined that this threat poses a grave risk to the federal government and state, local, tribal and territorial governments, as well as critical infrastructure entities and other private sector organizations. It is still unclear how much information was compromised, and we continue to learn details. CISA issued both Alert AA20-352a and an Emergency Directive for federal agencies with detailed mitigation steps. All Significant Service Providers (SSPs) are aware of the CISA Alert and Emergency Directive and reporting information to executive leadership. Communication to clients remains varied. To date, none of the SSPs have reported confirmed instances of unauthorized access, data exfiltration or command-and-control traffic indicative of malicious network activity but many continue to threat hunt as the incident continues to evolve. Talking Points Because information associated with this event is rapidly evolving, banks and service providers will be using their threat monitoring and risk assessment processes to continue to determine their impact and response. As bankers seek examiner advice, the following questions may be used (most are included in the resources below). • Is the bank following its threat monitoring processes , and is it aware of this recent APT activity? There are government resources identified below that provide relevant information, and more will be issued as the situation evolves. • Has the bank assessed risk to ascertain the impact to their organization? • Has the bank’s risk assessment extended to third-party service providers that connect to their systems?

FOR STATE REGULATOR USE ONLY

• What risk mitigation actions has the bank taken, or is planning to take, in order to address risk identified through their risk assessment? Are these actions consistent with the referenced threat information sources cited below? • Because the Orion compromise is not the only infection vector, is management focused on defense-in-depth and layered security? • If you discontinued use of SolarWinds, what mitigating control or alternative solution have you implemented? • Have the results of the risk assessment and any ensuing remediation actions been discussed with the board of directors and senior management ? Key Takeaways • This is a patient, well-resourced and focused adversary that has sustained long duration activity on victim networks. • CISA is investigating other access vectors in addition to the SolarWinds Orion supply chain compromise. • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans. Resources that may assist with assessment and remediation efforts: • CISA Alert AA20-352A, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure and Private Sector Organizations. • CISA released AA21-008A Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, a companion alert to AA20-352A. • CISA Emergency Directive 21-01. CISA’s Emergency Directive is binding on U.S. Government agencies. Financial institutions are not required to follow this directive but may consider its recommendations as part of their risk-based remediation approach. • NSA Cybersecurity Advisory Detecting Abuse of Authentication Mechanisms • SolarWinds Security Advisory • SolarWinds Secure Configuration for the Orion Platform Version 2020.2.1 • FireEye Threat Research Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor. • FireEye GitHub Countermeasures. • Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks • Microsoft: Important Steps for Customers to Protect Themselves from Recent Nation-State Attacks • Microsoft Ensuring Customers are Protected from Solorgate SME Contact: Mary Beth Quist, Sr. Vice President Bank Supervision, 202-728-5722, mbquist@csbs.org Date Updated: 1/15/2021

FOR STATE REGULATOR USE ONLY

State Examination System

CSBS Position State regulators have a goal of an integrated, 50-state system of licensing and supervision called Networked Supervision. The State Examination System (SES) is a software system created by CSBS to hasten the realization of this goal. Launched in October 2019, SES provides an efficient and secure platform for states to conduct exams, investigations and complaints in a collaborative, networked manner that preserves state control over information sharing. Through SES, state regulators have a powerful tool to bring uniformity, efficiency and a less burdensome supervisory process for companies that ensures the state system remains the chosen environment for financial service providers. Summary SES is an end-to-end system. Examiners can use it to schedule the exam, create the scope, prepare and send information requests, receive information request responses, create the exam plan, conduct reviews with exam procedures, build the report of examination and track ongoing issues. With complaints, agency users can intake a complaint they receive, transmit it to the company and review company responses in the system. Industry users can use SES to efficiently exchange data and documentation for that exam or complaint. While SES is built to support nonbank supervisory activities, the system could be modified to support bank examinations if agencies need such a system in the future. Why it Matters to State Regulators SES is a no-cost solution to a common agency problem: lack of a single platform for their exams, investigations, complaints and other supervision work. SES solves that problem and takes it further by allowing agencies to leverage the work already done by one regulator, or network, and utilize it to complete their own supervision responsibilities Further, SES improves intra-agency information sharing, i.e., the information shared within state agencies. Staff responsible for the licensing functions should have access to the information generated through the supervisory function of the agency and vice versa. Picking up where a previous regulator left off allows the incoming regulator to focus on new risks or follow-up on risks already identified. SES allows for partnering with other state agencies on supervisory activities as much as possible, which will reduce regulatory burden for companies that are supervised by more than one agency. Having a view into the supervisory findings from one agency will allow another agency to better allocate resources and schedule their own supervisory activities. State regulators will also share exam manuals and procedures which will help drive uniformity and consistency across the states. Talking Points • By year end 2020, more than 30 state agencies had onboarded to SES and over 450 exams were conducted. • SES expanded in late 2020 to offer complaints processing and handling services, now used by 11 agencies. • The states’ networked supervision goals are furthered by adoption of SES, as it brings agencies onto a single, more uniform platform on which to conduct their supervision activities.

FOR STATE REGULATOR USE ONLY

• CSBS continues efforts to create a common core of regulatory materials that can be integrated into the SES platform and shared across all states. These include information requests, procedures and work programs. SME Contact: Kyle Thomas, Vice President, Business Services: 202.407.7131 or KThomas@csbs.org Date Updated: 1/11/2021

FOR STATE REGULATOR USE ONLY