CSBS Issue Talking Points

Ransomware

CSBS Position

Ransomware has become the most visible cyber threat to our nation’s networks. While financial institutions have implemented good cybersecurity practices, the rapid advancements in ransomware and its potentially devastating consequences require that every financial institution review and update its controls. We continue to work with the state regulators and industry to ensure that resources are made available to assist with mitigating this risk. CSBS has partnered with the U.S. Secret Service and Bankers Electronic Crimes Taskforce to issue ransomware self-assessment tools for state regulators to share with banks/nonbanks they supervise.

Summary

During 2020, ransomware events shifted from encrypting data in place to include exfiltration and public shaming to ensure payment. CSBS initiated a Ransomware Campaign that consisted of three goals:

1. Issue tools for state bank regulators 2. Provide tools to improve community banking industry security against ransomware 3. Host tabletop exercises for industry

In May 2020, CSBS issued a Ransomware Playbook for state bank regulators to assess a ransomware event impacting one of their supervised institutions intended as a resource to allow state regulatory staff to collect appropriate information and document the situation. The playbook is an assessment tool for senior staff or lead IT Examiners when an institution reports a ransomware event. In October 2020, CSBS joined with the Bankers Electronic Crimes Task Force and the U.S. Secret Service to issue a Self-Assessment Tool (R-SAT) in an effort to help mitigate ransomware attacks. The R-SAT has 16 questions designed to help financial institutions assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. The document provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding and recovering from a ransomware attack. In December 2020, CSBS and the U.S. Secret Service issued a similar self-assessment resource for nonbank financial institutions.

Why It Matters to State Regulators

State regulators offered this tool because the rapid advancements in ransomware and potentially devastating consequences to their financial institutions. There is no single measure to prevent successful ransomware attacks. It requires strong adherence to fundamental cybersecurity controls but, some measures are very important: strong backup practices and the use of Multi-Factor Authentication.

Talking Points

• Incidents of ransomware across industries have been on the rise and appear to be spreading. One global cyber insurer reported 775 ransomware incidents for its U.S. customers in 2019, representing a 131% increase from the year prior. Eleven percent of those customers were financial institutions. • By using the R-SAT, an institution (bank or nonbank) can assess its efforts to control and mitigate risks associated with the threat of ransomware and identify gaps that require increased security.

SME Contact: Mary Beth Quist, Senior Vice President, Bank Supervision: 202-728-5722 or mbquist@csbs.org

Date Updated: January 2021

FOR STATE REGULATOR USE ONLY