Cyber & IT Supervisory Forum - November 2023

Cyber & IT Supervisory Forum

November 6 - 8 , 2023 DoubleTree by Hilton - Austin, TX

@ www.csbs.org

CONFERENCE OF STATE BANK SUPERVISORS

1300 I Street NW / Suite 700 / Washington, DC 20005 / (202) 296-2840

♦

@csbsnews

Cyber & IT Supervisory Forum Austin, Texas II All times in Central Time Zone November 6-8, 2023

Monday, November 6, 2023 7:30 AM – 8:30 AM

Registration Meeting Room: Prefunction

Breakfast Meeting Room: Austin

7:30 AM – 8:30 AM

Welcome Remarks Meeting Room: Phoenix North

8:30 AM – 8:45 AM

Amy Richardson Senior Director Learning & Development Conference of State Bank Supervisors

Welcome to Texas Meeting Room: Phoenix North Charles Cooper Commissioner Texas Department of Banking Keynote Meeting Room: Phoenix North Chris Furlow President & CEO Texas Bankers Association

8:45 AM – 9:00 AM

9:00 AM – 10:00 AM

Break

10:00 AM – 10:15 AM

Current Threat Landscape Meeting Room: Phoenix North

10:15 AM – 11:15 AM

Matthew Sellman Supervisory Special Agent Federal Bureau of Investigation (FBI)

Break

11:15 AM – 11:30 AM

R-SAT 2.0 & Ransomware Study Meeting Room: Phoenix North Phillip Hinkle Director of IT Security Examinations Texas Department of Banking

11:30 AM – 12:15 PM

Brad Robinson Senior Director, Cybersecurity Policy & Supervision Conference of State Bank Supervisors

Lunch

12:15 PM – 1:30 PM 1:30 PM – 2:30 PM

Breakout: Next Generation of Interagency Exam Tools Meeting Room: Phoenix North

Paige Terry Product Manager Federal Reserve Bank (FRB)

Jami Van Huet Senior Director, Bank Supervision Conference of State Bank Supervisors

Jay Voigt Financial Examiner Texas Department of Banking

Breakout: Non-Depository Incident Response – Tabletop Exercise Part I Meeting Room: Austin

1:30 PM – 2:30 PM

Mike Bray Senior Manager Nonbank Supervision & Enforcement Conference of State Bank Supervisors Brad Robinson Senior Director, Cybersecurity Policy & Supervision Conference of State Bank Supervisors

Break

2:30 PM – 2:45 PM

Breakout: URSIT Working Session Meeting Room: Phoenix North Jami Van Huet Senior Director, Bank Supervision Conference of State Bank Supervisors

2:45 PM – 3:45 PM

Breakout: Non-Depository Incident Response – Tabletop Exercise Part II Meeting Room: Austin

2:45 PM – 3:45 PM

Mike Bray Senior Manager Nonbank Supervision & Enforcement Conference of State Bank Supervisors Brad Robinson Senior Director, Cybersecurity Policy & Supervision Conference of State Bank Supervisors

Break

3:45 PM – 4:00 PM

State of the State Meeting Room: Phoenix North

4:00 PM – 4:30 PM

Mike Bray Senior Manager Nonbank Supervision & Enforcement Conference of State Bank Supervisors

Mary Beth Quist Senior Vice President, Bank Supervision Conference of State Bank Supervisors

Networking Reception Meeting Room: Magnolia

5:30 PM – 7:30 PM

Tuesday, November 7, 2023 7:30 AM – 8:30 AM

Breakfast Meeting Room: Austin

Federal Agency IT/Cyber Supervision Priorities Meeting Room: Phoenix North Lisa Clark Bank Information Technology Policy Analyst Office of the Comptroller of the Currency (OCC)

8:30 AM – 9:30 AM

William Henley, Jr. Associate Director, Information Technology Supervision Branch Federal Deposit Insurance Corporation (FDIC)

Dino Papanastasiou Senior Supervisory Cybersecurity Analyst Board of Governors of the Federal Reserve Bank

Mary Beth Quist Senior Vice President, Bank Supervision Conference of State Bank Supervisors Chris Young Deputy Assistant Director Consumer Financial Protection Bureau (CFPB)

Break

9:30 AM – 9:45 AM

Redefining Cybersecurity Standards: Advancing with Proactive Intelligence & Collaborative Resilience Meeting Room: Phoenix North

9:45 AM – 10:45 AM

Jennifer Gold President & Board Chair New York Metro InfraGard Chapter

Break

10:45 AM – 11:00 AM

Idaho's Financial Innovation Lab: A Model for Strategic Engagement & Thought Leadership Meeting Room: Phoenix North

11:00 AM – 11:45 AM

John Yaros Securities Bureau Chief Idaho Division of Finance

Lunch

11:45 AM – 1:00 PM

Breakout: One on One with a Managed Service Provider (MSP) Meeting Room: Phoenix North

1:00 PM – 2:00 PM

Cal Roberson Director of Strategic Partnerships Integris Financial Institution Division Phillip Hinkle Director of IT Security Examinations Texas Department of Banking

Break

2:00 PM – 2:15 PM

Breakout: Service Provider Supervision & State Involvement Meeting Room: Phoenix North

2:15 PM – 3:15 PM

Holly Chase Director of Cybersecurity, IT, Fintech Massachusetts Division of Banks

Nicholas Lee Financial Institutions Manager California Department of Financial Protection & Innovation

Mary Beth Quist Senior Vice President, Bank Supervision Conference of State Bank Supervisors

Breakout: Non-Bank Cyber & IT Supervision: SWOT Analysis Meeting Room: Austin Mike Bray Senior Manager Nonbank Supervision & Enforcement Conference of State Bank Supervisors

2:15 PM – 3:15 PM

Brad Robinson Senior Director, Cybersecurity Policy & Supervision Conference of State Bank Supervisors

Break

3:15 PM – 3:30 PM

State IT/Cyber Examinations – Today, Tomorrow and in the Future Meeting Room: Phoenix North

3:30 PM – 4:30 PM

Holly Chase Director of Cybersecurity, IT, Fintech Massachusetts Division of Banks Phillip Hinkle Director of IT Security Examinations Texas Department of Banking

Charles Jones IT Examiner Pennsylvania Department of Banking & Securities Brad Robinson Senior Director, Cybersecurity Policy & Supervision Conference of State Bank Supervisors

Wednesday, November 8, 2023 7:30 AM – 8:30 AM

Breakfast Meeting Room: Austin

IT Supervision Roundtable Discussion Meeting Room: Phoenix North

8:30 AM – 9:30 AM

Mike Bray Senior Manager Nonbank Supervision & Enforcement Conference of State Bank Supervisors

Mary Beth Quist Senior Vice President, Bank Supervision Conference of State Bank Supervisors

Brad Robinson Senior Director, Cybersecurity Policy & Supervision Conference of State Bank Supervisors

Jami Van Huet Senior Director, Bank Supervision Conference of State Bank Supervisors

Break

9:30 AM – 9:45 AM

State Regulatory Panel: IT Supervision Findings & Best Practices Meeting Room: Phoenix North

9:45 AM – 10:45 AM

Phillip Hinkle Director of IT Security Examinations Texas Department of Banking

William Peterson Director Financial Services Programs New York State Department of Financial Services

Mary Beth Quist Senior Vice President, Bank Supervision Conference of State Bank Supervisors

Becky Strother Senior Bank Examiner – IT Iowa Division of Banking

Closing Remarks Meeting Room: Phoenix North

10:45 AM – 11:00 AM

Amy Richardson Senior Director Learning & Development Conference of State Bank Supervisors

Adjourn

11:00 AM

Internal Use Only

Welcome to Austin!

1

Internal Use Only

Thank you!

We are all entrusted with protecting the banking system… One institution at a time.

2

Internal Use Only

Prepare for “When”

"The world evolves, and the risks change as well and I would say that the risk that we keep our eyes on the most now is cyber risk.” Fed Chairman Jerome Powell 60 Minutes/CBS News April 11, 2021

3

Internal Use Only

Sophisticated Actors:  China  Russia  Iran  North Korea  Global Criminal Organizations

4

Internal Use Only Community Bank Cybersecurity Intelligence & Resources

5

Internal Use Only

INFORMATION SHARING FOR COMMUNITY BANK COLLECTIVE DEFENSE

Recent Threat Identification and Mitigation

6

Internal Use Only

 Alerted Community Bank  Performed Analysis  Identified IOCs  Identified IP Addresses  Provided Recommendations

7

Internal Use Only

8

Internal Use Only

Always Ready

https://coastguard.dodlive.mil/2009/09/surf ‐ training ‐ at ‐ station ‐ bodega ‐ bay/

9

Internal Use Only

COMPLIANCE ≠ SECURITY

10

Internal Use Only

P

T

P

People

Processes

Technology

11

Internal Use Only

Training is the Implementation of Cyber Culture Train your employees All of your employees (The C ‐ Suite, too!)

The Moore’s Law Effect: Computer processing speeds double about every two years. Defensive technologies alone cannot keep pace. “Gone Phishing”: Social engineering schemes, the go ‐ to for nefarious cyber actors, remain effective. “Insiders were the source for 50% of incidents where private or sensitive information was unintentionally exposed.”* *CSO Magazine / CERT Software Engineering Institute Survey

12

Internal Use Only

Incident Response Preparedness

A plan is NOT enough Know roles & responsibilities Practice Incident Response Share Leading Practices

13

Internal Use Only INTENTIONAL COLLABORATION

 Banking Safely Online Cards

 Information System Security & Resilience recs for banks  Anti ‐ Jugging Materials

14

Internal Use Only

INTENTIONAL COLLABORATION

#BanksNeverAskThat

15

Internal Use Only

16

Internal Use Only

TAKEWAYS / RECOMMENDATIONS

 HELP BANKS GET BEYOND MERE “COMPLIANCE THINKING”

 ENGAGE IN INTENTIONAL COLLABORATION AND INNOVATION EFFORTS WITH TRADE ASSOCIATIONS AND INDUSTRY

 FOCUS ON PEOPLE AND TRAINING

17

Internal Use Only

Chris Furlow President & Chief Executive Officer cfurlow@texasbankers.com www.texasbankers.com +1.512.472.8388

18

Internal Use Only

Ransomware Self Assessment Tool (R-SAT), Version 2.0 Review Brad Robinson, CSBS Phillip Hinkle, Texas Department of Banking

1

Internal Use Only

PROGRAM AGENDA • R ‐ SAT VERSION 2.0 OVERVIEW

• REVIEW OF CHANGES FOUND IN R ‐ SAT, VERSION 2.0 • DISCUSSION OF STATE LESSONS LEARNED PAPER • EXAMINER FEEDBACK AND DISCUSSION

2

Internal Use Only

R ‐ SAT v. 2.0: Overview

• Updates to the R ‐ SAT took approximately 12 months to complete • Based on work from R ‐ SAT Working Group and feedback from IT Advisory Team, Bankers Electronic Crimes Task Force, US Secret Service, and FDIC • Rolled our R ‐ SAT, v. 2.0 via two webinars • October 10: Commissioners • October 24: Industry • 2,478 individuals registered for the Industry webinar; 1,508 attended • 1,374 bankers representing 47 states and territories • Webinar and slides emailed to registrants and are also available on CSBS website (along with the R ‐ SAT and Lessons Learned paper)

3

Internal Use Only

R ‐ SAT v. 2.0: What’s Being Asked of Your Department

Adoption of the R ‐ SAT is critical to change institution behaviors To change behavior, we must all distribute the RSAT 1) The Method Most Likely to Change Behavior: Require entities to complete and return the R ‐ SAT to your department within 90 to 180 days. 2) Next Best Method: Notify entities that examiners will discuss their completed R ‐ SAT at the next examination. 3) Minimum/Baseline Method: Ask for a completed copy of the R ‐ SAT prior to every examination.

4

Internal Use Only

R ‐ SAT v. 2.0: Questions 1 & 2

NEW: Added example frameworks (was only CIS Controls); corrected names for frameworks; added footnote to FFIEC press release regarding agencies not endorsing a specific framework.

NEW: Added new sub ‐ question to address review of gap analysis by the board, senior management, and, if applicable, the technology committee.

5

Internal Use Only

R ‐ SAT v. 2.0: Question 3

NEW: To encourage more thorough review of cyber insurance policies, added detailed checklist of services commonly offered through cyber insurance policies. Also asks for identification of insurance provider(s).

6

Internal Use Only

R ‐ SAT v. 2.0: Question 4

NEW: Added phrase “Check all that apply” based on feedback that some institutions were not clearly identifying services that were processed or managed both internally and through outsourcing. Added “Cloud ‐ Based” column to identify which of the listed services are cloud ‐ based. Provided simple examples of “Other Critical Services” for reference.

7

Internal Use Only

R ‐ SAT v. 2.0: Questions 5 & 6

NEW: New question. Intended to identify and raise awareness of potential privacy regulations for any services based in foreign jurisdictions.

NEW: Added narrative to request documentation of any vendors not having ransomware ‐ specific preventative controls in place. Added “at least annually” language to question addressing frequency of independent third ‐ party vendor control audits.

8

Internal Use Only

R ‐ SAT v. 2.0: Questions 7, 8, & 9

NEW: Added “unpatched vulnerabilities” to common ransomware attack vectors.

NEW: Added request to identify any specific risks identified in risk assessments that have not been appropriately remediated or mitigated to an acceptable risk level. NEW: New question. Added question to identify whether all employees are periodically provided information on emerging ransomware threats via emails, meetings, etc.

9

Internal Use Only

R ‐ SAT v. 2.0: Question 10

NEW: Added new sub ‐ question to address the frequency of formal security awareness training offerings. Reworded main question to add new consideration for “Acceptable Use Policy training and written employee acknowledgement”

10

Internal Use Only

R ‐ SAT v. 2.0: Question 11

NEW: New question. Added questions here to address performance of phishing exercises (at least quarterly) and the use of exercise metrics to evaluate training effectiveness and guide additional employee training efforts.

11

Internal Use Only

R ‐ SAT v. 2.0: Question 12

NEW: Added three extra columns to allow the capture of more information directly in the question (reduced reliance on Appendix A); added request for description of procedure details for each control listed.

12

Internal Use Only

R ‐ SAT v. 2.0: Question 12 (continued)

NEW: New control consideration (Control f) to address procedures in place to allow immediate off ‐ network restoration (cold site, warm site, hot site) of backups to facilitate continuity of essential operations while network systems are offline, being cleared, and/or reimaged following an incident. New control consideration (Control h) to address procedures to validate the sterility of data backups prior to restoration.

13

Internal Use Only

R ‐ SAT v. 2.0: Question 12 (continued)

NEW: Added ordered description fields for each control.

14

Internal Use Only

R ‐ SAT v. 2.0: Question 13

NEW: New question. Now addresses whether application ‐ based or phishing ‐ resistant MFA methods are being applied (per CISA guidance); provided examples of stronger authentication methods

15

Internal Use Only

R ‐ SAT v. 2.0: Question 13 (continued)

NEW: New sub ‐ question. Asks where/how MFA is used. Added multiple new considerations for PAM, access to external apps hosting NPI, vendor access into networks, internal service accounts, and customers accessing NPI. Added “Other” field for capture of other areas of implementation not listed. Added field for capture of areas where MFA implementation is not planned or has been deferred.

16

Internal Use Only

R ‐ SAT v. 2.0: Question 14

NEW: Removed MFA references (now a separate question); added new considerations for patch management; technical and administrative controls to manage removeable media use; controls for changing default hardware and software settings; implementation of jump box, bastion host, or administrative VLAN for segregating privileged/admin access to sensitive servers or data; and procedures for resetting or replacing user credentials.

17

Internal Use Only

R ‐ SAT v. 2.0: Question 15

NEW: Minor rewording. Added phrase “actively participate” for emphasis in sub ‐ question addressing C ‐ suite participation in IRP testing.

18

Internal Use Only

R ‐ SAT v. 2.0: Question 16

NEW: Minor rewording of DLP program consideration. Added consideration for alerts to changes in privileged access rights.

19

Internal Use Only

R ‐ SAT v. 2.0: Question 17

NEW: No changes.

20

Internal Use Only

R ‐ SAT v. 2.0: Question 18

NEW: Logical reordering of considerations. Added new or significantly reworded considerations to monitor social media (including “hyper ‐ local”) and news sources for public awareness and discussions of the incident; immediately contact federal law enforcement; implement out ‐ of ‐ band communication procedures; perform threat hunting to minimize back ‐ door risks; implement alternative strategies for connecting to critical third ‐ party vendors in the event of an infection; and establish escalation procedures for activating BCP/DR in the event of significant and/or long ‐ term impacts to operations.

21

Internal Use Only

R ‐ SAT v. 2.0: Question 18 (continued)

NEW: Added new or significantly reworded considerations to discuss the prospect of ransom payments with the board and any appropriate committee prior to payment, including awareness of and compliance with OFAC guidance; and notify federal regulators within 36 hours and state regulators in accordance with applicable state requirements.

22

Internal Use Only

R ‐ SAT v. 2.0: Question 19

NEW: New question. Identification of any third parties to be engaged. New question. Does the institution or does the institution require third parties, including insurance companies, to promptly engage with law enforcement? New question. Are any third parties pre ‐ approved by the bank’s cyber insurance provider?

23

Internal Use Only

R ‐ SAT v. 2.0: Question 20

NEW: Added consideration for providing refresher training as necessary to employees.

24

Internal Use Only

R ‐ SAT v. 2.0: Appendix B

NEW: Added ransomware resource links, including FFIEC Resource Guide, CISA Cybersecurity Evaluation Tool (C ‐ SET), CISA Stop Ransomware resource site, and a link to the R ‐ SAT on the CSBS website.

25

Internal Use Only

Lessons Learned From Ransomware Attacks • Study was conducted of victims of ransomware attacks

• Purpose of the study was to guide needed updates to the R ‐ SAT • The study covered the four ‐ year period between January 1, 2019, and December 31, 2022 • Multiple state banking departments participated in the study • A written report is available for review

26

Internal Use Only

Lessons Learned From Ransomware Attacks • Key findings from the study:

• Most victims had not used the R ‐ SAT to guide their risk mitigation, but ALL began using it fully after the incident • Multi ‐ factor authentication (MFA) was implemented by all victims after the incident, if they weren’t using it • Monitoring “hyper ‐ local”, as well as traditional social media, is important to manage misinformation and maintain consumer confidence

27

Internal Use Only

Lessons Learned From Ransomware Attacks • Additional observations from the study:

• Expanding cloud usage requires greater awareness of where data is located, as well as which services are cloud ‐ based • Ransomware tactics are changing and now include double and triple extortion techniques, sometimes with accompanying DDoS attacks • Controversial practices: Paying an extortion fee for the promise of silence from a criminal emboldens them to continue targeting the banking industry

28

Internal Use Only

Group Questions • How many states here are asking their banks to complete the R ‐ SAT? • Which option did your state choose? • In your opinion, what are the 3 ‐ 4 most important points now covered in the updated R ‐ SAT?

• Ideas for future expansion? Change in format? • Is there anything important we are missing?

29

Internal Use Only

Questions??

30

Internal Use Only

Confidential – For Interagency Use Only

Interagency Technology Future of Exam Tools: Credit Review November 6, 2023

1

Internal Use Only

Confidential –For Interagency Use Only

Background

2

2

Internal Use Only

Confidential –For Interagency Use Only

Business Case Recap

• In 2020, an interagency team evaluated community bank examination processes across the agencies to determine if there is a business case for using shared technology tools to support examiners and bankers. • Result of Evaluation : Across agencies, community bank examination processes share high commonality and present a compelling business case for collaborating on IT strategies that will achieve shared supervisory objectives. • The timing is right as the landscape for supervision technology is changing rapidly. In the coming years, new technologies (e.g., AWS cloud and Appian low ‐ code solution) must replace the proliferation of aging, custom ‐ built systems at the FDIC and FRS. Common problems benefit from shared solutions.

Reduced regulatory burden

Interagency alignment

Simplified IT ecosystem

Improved collaboration

Public stewardship

Lower costs

3

3

Confidential – For Interagency Use Only

Internal Use Only

Interagency Magic Quadrant – Commonality vs. Value

All Other Processes

Assessing Business Value Where would shared technology:  relieve regulatory burden for supervised organizations and make it easier to work with other agencies on joint events?  improve the efficiency and effectiveness of processes for supervisory staff?  provide the greatest value for the largest number of stakeholders?

Assessing Commonality  Hypothesis – CBO S&S supervision across the Fed, FDIC, and States is similar for 80% of business processes. Interagency efforts get bogged down in the 20% in differences.  The team evaluated Processes, Activities and Steps across S&S supervision to look for commonalities. Conclusion: Basic business processes across CBO supervision are fundamentally similar.  WHAT we do is common, but HOW we do it is different.

4

4

Confidential – For Interagency Use Only

Internal Use Only

5 A Memorandum of Understanding (MOU) defines the framework for how the Fed, FDIC and CSBS will participate on a joint technology effort, including business-led governance, initial scope and longer-term goals, the services the Fed will provide to the other agencies, and MOU exit procedures. Each agency is in the process of signing the MOU. Summary of Interagency MOU Key Points • First Release: Will focus on credit review for CBO-RBO exams. Long-Term: Implement broader capabilities to retire ETS product (ROE) and support common E2E processes.

• Fed will provide product management, technology delivery, and ongoing user support, at an incremental cost.

• Each agency will be an equal business partner in product decision-making (similar to successful SNC governance model).

• Business Led: a Product Advisory Group (PAG) and oversight committee will provide business direction.

5

Confidential – For Interagency Use Only

Internal Use Only

Governance

6

6

Confidential – For Interagency Use Only

Internal Use Only

Interagency Governance Principles

Business-driven, with leadership from product management and support from information technology professionals.

Product-led, ensuring success through the creation of products that advance toward the overall vision.

The Governance Structure is based on principles that are…

Inclusive, each party is an equal partner within the effort, with the right representation to participate and contribute throughout.

Adaptable, with opportunities to reflect and evolve over time.

7

7

Confidential – For Interagency Use Only

Internal Use Only

8

Internal Use Only

Who are the State Representatives involved with this effort? Executive Committee • Chris Dietz (IN) • Mary Beth Quist (CSBS) Product Oversight Committee (POC) • Jay Voigt (TX) • Jami Van Huet (CSBS) Product Advisory Group (PAG)

Oversight of this effort for the states will be led by the CSBS State Supervisory Processes Committee (SSPC)

State Examiner Review Team (SERT) will be involved assisting with requirements and testing

• Zach Ball (MI) • Mike Valle (OH) • Mike Goffredo (PA) • Hannah Thames (MS) • Jay Voigt (TX) • Jami Van Huet (CSBS)

9

Confidential – For Interagency Use Only

Internal Use Only

Product Management

Product Management is involved at every stage of the product lifecycle– from establishing a vision to coordinating legacy product retirements and transitions.

Work with leaders to establish vision, strategy, and outcomes. Develop epic level roadmap to be refined with POC/PAG.

Frequently demo development progress to receive and respond to real time feedback.

Coordinate and facilitate training plans. Work with business on communication to impacted users.

Monitor product performance. Work with business/users to identify and address enhancements.

Design and Plan to Reach Desired Outcomes

Legacy Product Retirement Planning

Launch/Release

Coordinate with legacy product owners on transition to new product. Assist business with transition planning in relation to business process timing.

Work with business/users to understand needs and refine/prioritize roadmap. Interact with development on possibilities.

Work with legacy product owners and technical teams to plan for any needed data and document migration, timing, etc.

Iterative Development with Frequent Feedback

Vision and Strategy

Training and Communication

In-Life

10

10

Confidential – For Interagency Use Only

Internal Use Only

Vision

11

11

Confidential – For Interagency Use Only

Internal Use Only

Interagency Credit Review: Product Vision

A vision, or vision statement , describes the overarching long-term mission. Vision statements are aspirational and communicate concisely where the product hopes to go and what it hopes to achieve in the long term.

Transform the asset review experience by providing ONE place for examiners to collaborate on credit review activities.

12

12

Confidential – For Interagency Use Only

Internal Use Only

Interagency Credit Review: Product Outcomes

Product outcomes are the results we want to achieve that drives the evolution of the product to change customer behavior to improve the experience and reach business objectives. Product outcomes help us determine success of the product– did we achieve what we wanted and intended? Focus on the user experience to achieve an overall positive impression and maintain customer satisfaction. Increase adoption of true technology use in key areas, such as the line card, to reduce workarounds and enable efficient, accessible data. Expedite business value delivery through more frequent deployments and elimination of agency-specific releases or adoption dates. Improve training accessibility and technology quality of an interagency credit review tool to reduce support ticket volume (from ETS levels) and agency-specific training resource needs. Reduce the manual creation or compilation of data for reports and risk identification.

13

13

Confidential – For Interagency Use Only

Internal Use Only

Guiding Principles: TACOS

T ransparency: Share information early and frequently

A gility: Adapt and adjust quickly to changing dynamics

C ontribution: Commit to adding value and honoring commitments

O ne-Team: We succeed or fail as one team– EVERYONE is an equal partner

S tandardization: Standardize processes as much as possible, with minimum customization

14

14

Confidential – For Interagency Use Only

Internal Use Only

Information Gathering & Collaboration

15

15

Confidential – For Interagency Use Only

Internal Use Only

Progress to Date

Conducted Journey Map interviews with examiners across agencies to understand current processes and pain points

Holding regular PAG meetings as part of discovery to document business process workflows and gain strong understanding of requirements

Surveyed existing ETS users to better understand use of the application and areas for potential future technology focus

Implemented governance structure with regular PAG, POC, and Executive Committee meetings

16

16

Confidential – For Interagency Use Only

Internal Use Only

What’s a Journey Map and Who Did We Interview?

A journey map is a visualization of the process that a person goes through to accomplish a goal. In its most basic form, it compiles a series of actions into a timeline.

# of Interviews

Roles of interviewees

Agency

FRB

5

EIC and Asset Managers EIC and Asset Managers

FDIC

5

States (Arkansas, Iowa and Indiana)

3

Exam Managers and Asset Managers

17

17

Confidential – For Interagency Use Only

Internal Use Only

IA Asset Review Journey Map

Easy

Archive data and results

Flexible

Share list of assets with review team

Save archive file to local record repository

Manual

Fun

Seamless

Enjoyable

Clunky

Flexible Share either in scope or all assets

baseline Favorable Unfavorable Determine data needed & request from bank Request ILDR

Finalize and Share Results

Select assets for review (sample)

Need Guidance

Inconsistent

Fun

Keep lead sheet in Excel or ETS for tracking

Seamless

Intake / Obtain Data from Bank

Add loans to scope based on risk factors

Enjoyable

Share Classificatio ns with bank mgmt. Draft ROE comments and AQ Pages

Aggregate and Review Results

Inefficient

Too Technical

Import ILDR txt File to ETS

Run LPAT Queries

Need automation

Run reports (TE, credit admin weakness) QC Review of Completed Line cards

Need guidance

Manual Confusing

Tedious

Validate, Analyze, and Reconcile Data

Inconsistent

Share scope with exam team for approval Ensure sample meets % guidelines

Clean Up & Correct File Errors

Cluttered

Confuse d Too technical

Overwhelmed

Inflexible

Inconsistent Frustrated

Reconcile ILDR to GL

Conduct asset review

Identify and Build Borrower Relationship

Loan discussions with bank mgmt. Document review and disposition on line card

Inefficient Hard Need automation

Determine codes that need translated

Difficult

Inconsistent

Overwhelme d

Inflexible

18

Cluttered

18

Confidential – For Interagency Use Only

Internal Use Only

Face ‐ to ‐ Face PAG Meeting Debrief

Topic

Purpose

Shared National Credit Demo

• Provide a demonstration of development progress made with the Shared National Credit product.

• Share a visualization of the asset review process gathered by interviewing end-users from each organization. • Summarize themes and key takeaways from the users experience that will inform desired functionality of the new product.

Journey Map Review

Loan Scrubbing Tool Demo

• Provide a demonstration of FRB St. Louis’ loan scrubbing tool.

• Group breakouts to discuss linecard fields that are essential and brainstorm how the fields should be organized. • Discussion of which templates are relevant and needed in the new product.

Linecard Discussion

• Provide overview of the people side of change management, the PAGS roles and responsibilities as change agents, and next steps for activating change plans.

Change Management Overview

• Group breakouts to discuss information, hierarchy, and relationships related to training, direct banker submission of data, data analytics and reporting, and policy and procedure considerations.

Mind Mapping Activity

19

19

Confidential – For Interagency Use Only

Internal Use Only

What the Group is Currently Exploring

20

20

Confidential – For Interagency Use Only

Internal Use Only

Proposal to Update the Loan Data Request (ILDR)

Background • The ILDR provides a standard format for an institution’s submission of 82 data elements per credit – 30 are required fields • Participation is voluntary, but data service providers have made this information readily available to institutions and it has become a foundational element for exam scoping • PAG members believe there are benefits to be gained by updating the ILDR to support supervisory processes

21

21

Confidential – For Interagency Use Only

Internal Use Only

Login.gov/Authentication

Background • In 2021, FFIEC members agreed to adopt login.gov, a secure authentication solution to provide supervised institutions and FFIEC members with a single-sign on to government websites including access to supervision systems • Each FFIEC member is responsible for establishing their own implementation strategy and timeline for transitioning to login.gov

22

22

Confidential – For Interagency Use Only

Internal Use Only

Questions

23

23

Internal Use Only

NONBANK

Nonbank Tabletop Exercise: Breakout Sessions 1 & 2 By CSBS Staff

1

Internal Use Only

Presentation Outline

Welcome and Introduction

Scenario Briefing

Injects 1 – 4

State Regulator Exam

2

Internal Use Only

Exercise Schedule

Activity

Time

Breakout Session 1

Introduction

1:30 –1:35 pm 1:35 –1:40 pm 1:40 –2:00 pm 2:00 –2:30 pm 2:30 –2:45 pm 2:45 –2:50 pm 2:50 –3:00 pm 3:00 –3:15 pm 3:15 –3:35 pm 3:35 –3:45 pm

Scenario Briefing

Inject 1 Inject 2

Break

‐

Breakout Session 2

Introduction

Inject 3 Inject 4

State Exam

Q & A

3

Internal Use Only

Exercise Objectives

Regulators will learn about the various aspects of the incident response program during the tabletop exercise, with a focus on both the company’s and examiner’s perspectives. Regulators will gain familiarity with the nonbank exam programs and the associated reference guide, specifically related to business continuity and incident response.

4

Internal Use Only

Exercise Instructions

For each Inject, your table will discuss the questions from the perspective of the company.

Focus on how you would respond if this happened, and not whether this could happen.

Assumptions are needed to complete the exercise. Do not let the lack of information negatively impact your participation.

There will be a group discussion after each inject and the state regulator exam.

5

Internal Use Only

Scenario Briefing

6

Internal Use Only

Institution Background • Acme Mortgage Subservicer is a major player in the mortgage industry specializing in sub-servicing operations for some of the largest mortgage companies in the country. • Headquartered in Dallas, Texas, the company has a workforce of 950 employees, primarily comprised of loan servicing specialists, compliance officers, management, IT professionals, customer service representatives, and administrative staff. • The institution is going to have a bad day.

7

Internal Use Only

Institution Operations • Loan Onboarding : The process of onboarding loans for various clients. • Payment Processing : Handling and processing mortgage payments, including escrow management and disbursements. • Customer Service : Addressing borrower questions, concerns, and providing support. • Loss mitigation and Investor Reporting: Performing loss mitigation on delinquent and defaulted loans, remitting funds to investors, performing all necessary investor reporting. • Data Security : Safeguarding sensitive borrower information and transaction records.

8

Internal Use Only

Institution Key Operating Systems  Core Servicing Platform : The primary system used for loan onboarding, payment processing, escrow management, loss mitigation processing and tracking, investor remitting and reporting, and servicing for client portfolios.

 Customer Information Database : Holds critical borrower information, including payment histories, contact details, and transaction records.

 Communication Infrastructure : The email server, essential for internal and external correspondence, including vendors that support multiple aspects of the sub-servicing work.

 Document Repository: Securely stores and retrieves essential documents related to client portfolios.

9

Internal Use Only

Client Base • Mortgage Companies: The sub-servicer works with some of the largest mortgage companies nationwide, manages a substantial portion of their portfolios and is responsible for customer-facing administration of loans. • Borrowers: The consumers who have mortgages with the client companies and rely on Acme for various services in connection with their mortgage.

10

Internal Use Only

Inject 1 Threat Monitoring and Internal Reporting Time: 20 minutes Table Discussion: 13 minutes, Summary Report: 7 minutes

11

Internal Use Only

Inject 1: Threat Monitoring and Internal Reporting Monday, 10:00 am, June 6: Law enforcement, CISA, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) are actively tracking a spike in reports from financial institutions indicating increased malicious cyber activity, including one particularly active ransomware strain that appears to be targeting the financial sector (i.e., banks, credit unions, mortgage companies and other nonbank entities). Notifications of this anomalous activity have been disseminated by various credible public and government sources to all members of the financial sector this morning as reports of financial sector victims continue to emerge, including some operating within Acme’s home office footprint.

12

Internal Use Only

Discussion Questions 1. What tools might the organization employ to receive threat information? 2. How might the organization receive, prioritize, and act in response to information on new threats and vulnerabilities facing the company and its controls? 3. When and how should executive management and the Board receive information on the results of threat monitoring? 4. What are some of the key monitoring practices that an organization might utilize for servers, backup systems, workstations, networks, and other endpoints?

Instructions • Discuss each of the questions at your table • Be prepared to provide a summary to the group • Table Discussion: 13 minutes; Summary Report: 7 minutes

13

Internal Use Only

Inject 2 Incident Response Time: 30 minutes Table Discussion: 20 minutes, Summary Report: 10 minutes

14

Internal Use Only

Inject 2: Incident Response Monday, 2:45pm, June 6: A loan servicing specialist receives an encrypted email from a borrower claiming to have issues making a payment on their mortgage. The email does not clearly reference a specific customer account, but the loan servicing specialist believes it is legitimate and opens the email and enters their Office365 credentials when prompted. Within minutes, ransom screens appear on company computers and departments throughout the company’s headquarters are unable to access their network. Staff in the regional servicing facilities report issues using shared applications and have trouble connecting to HQ. The systems needed to perform critical daily functions are nonfunctioning or are now performing erratically.

15

Internal Use Only

Inject 2: Incident Response continued Monday, 2:45pm, June 6: IT staff has conferred with senior management and the Board, and it has been decided that activation of the incident response plan is warranted. IT staff begin to take steps to immediately take the company’s network offline to try and contain the spread of ransomware. The company’s operation, including the regional offices, has now effectively been brought to a standstill.

16

Internal Use Only

Discussion Questions 1. Now that ransomware has been identified within the organization, what are some of the initial technical steps the organization (in particular, IT staff) should be taking to address the incident? 2. Let’s now think about how incident communications happen within the organization. Once the incident response plan has been activated, how and to whom might the details of the incident be communicated within the organization? Who within the organization might potentially be involved in this portion of the incident response process?

Instructions • Discuss each of the questions at your table • Be prepared to provide a summary to the group • Table Discussion: 20 minutes; Summary Report: 10 minutes

17

Internal Use Only

Break 2:30 – 2:45 pm

18

Internal Use Only

Inject 3 Management of External Communications and Recovery Time: 10 minutes Table Discussion: 6 minutes, Summary Report: 4 minutes

19

Internal Use Only

Inject 3: Management of External Communications and Recovery Tuesday, 12:15 pm, June 7: While internal IT teams continue their urgent work to contain the ransomware and execute their incident response plan, it is discovered that news of the incident has leaked to social media platforms and is quickly beginning to spread. Customers are expressing their concerns and seeking information about the situation, putting pressure on customer support teams to provide timely and accurate updates. Additionally, media outlets have caught wind of the incident, and reporters are requesting details about the attack. This surge in external communication escalates the urgency of managing the incident's public-facing aspect.

20

Internal Use Only

Discussion Questions 1. Considering the incident is now public, which external parties should the company inform about the ransomware event at this time? 2. Do you still believe the organization should wait for formal inquiries from the media before responding? Who within the organization should be responsible for making this decision and initiating the response efforts? Should the organization proactively issue a press release, or engage in other forms of public outreach, such as social media postings?

Instructions • Discuss each of the questions at your table • Be prepared to provide a summary to the group • Table Discussion: 6 minutes; Summary Report: 4 minutes

21

Internal Use Only

Inject 4 Lessons Learned Time: 15 minutes Table Discussion: 10 minutes, Summary Report: 5 minutes

22

Internal Use Only

Inject 4: Lessons Learned Monday, 9:00 am, Monday, June 13: Company operations have now effectively returned to normal, although some behind the scenes IT staff work continues to button up systems and the company’s network. Discussion Question 1. How might the organization address lessons learned during the event to help prevent the incident from reoccurring and to make response processes more effective if another incident occurs?

Instructions • Discuss each of the questions at your table • Be prepared to provide a summary to the group • Table Discussion: 10 minutes; Summary Report: 5 minutes

23

Internal Use Only

State Regulator Exam

Time: 20 minutes Table Discussion: 13 minutes, Summary Report: 7 minutes

24

Internal Use Only

State Regulator Exam Your agency has joined a multi-state examination of Acme Mortgage Subservicer in the aftermath of the ransomware attack. The examination is scheduled to be onsite on October 2nd, approximately 120 days after the incident occurred. The exam will evaluate the company's response to the incident and assess the implementation of safeguards to protect against future attacks. In addition, the exam team will review compliance with state (and federal) laws regarding data breach incidents.

25

Internal Use Only

Discussion Questions 1. Before going onsite, what documents and pieces of information would you request? Is there anything additional you would request once you arrived onsite? 2. What questions would you ask the company about their incident response plan? 3. What questions would you ask the company about their business continuity plan? 4. How would you verify that the necessary notifications have been made within the required timeframes to the appropriate regulators? 5. What safeguards and security measures are you looking for the company to implement to prevent and protect against future attacks? Instructions • Discuss each of the questions at your table • Be prepared to provide a summary to the group • Table Discussion: 13 minutes; Summary Report: 7 minutes

26

Internal Use Only

Closing Discussion

27

Large Nonbank Institution Ransomware Tabletop Exercise

Includes:

Facilitator’s Exercise Key Optional Examiner Perspective Exercise

November 11, 2023

Contents Introduc Ɵ on .................................................................................................................................................. 3 Notes On This Exercise .............................................................................................................................. 3 Ransomware Exercise Scenario .................................................................................................................... 5 INJECT 1 ..................................................................................................................................................... 5 INJECT 2 ..................................................................................................................................................... 6 INJECT 3 ..................................................................................................................................................... 8 INJECT 4 ..................................................................................................................................................... 8 APPENDIX: OPTIONAL State Regulator Exam ................................................................................................ 9 Ransomware Scenario (Exercise Facilitator’s Key) ...................................................................................... 10 INJECT 1 ................................................................................................................................................... 10 INJECT 2 ................................................................................................................................................... 13 INJECT 3 ................................................................................................................................................... 17 INJECT 4 ................................................................................................................................................... 20 APPENDIX: OPTIONAL State Regulator Exam (Exercise Facilitator’s Key) ................................................... 22

2

Introduc Ɵ on CSBS has developed this Large Nonbank Ins Ɵ tu Ɵ on Ransomware Tabletop Exercise to help examiners further their knowledge of the challenges faced by licensed en ƟƟ es dealing with a ransomware incident. By comple Ɵ ng this scenario ‐ based exercise, par Ɵ cipants will develop a be Ʃ er understanding of the incident response lifecycle, including:

 Threat intelligence gathering and dissemina Ɵ on;  Components of the incident response plan, including: o Ac Ɵ va Ɵ on of the plan

o Coordina Ɵ on of incident response individuals and teams o Evalua Ɵ on of the incident and remedia Ɵ on o Communica Ɵ on with internal and external par Ɵ es; and

 Post ‐ incident ac Ɵ vi Ɵ es

Ransomware presents a signi fi cant threat to fi nancial ins Ɵ tu Ɵ ons of all sizes and types. Due to the poten Ɵ al severity of a ransomware a Ʃ ack, it is cri Ɵ cal that ins Ɵ tu Ɵ ons are su ffi ciently prepared to iden Ɵ fy and respond to threats. However, it is also important for examiners to have a working knowledge of what is occurring in a fi nancial ins Ɵ tu Ɵ on during an a Ʃ ack. By developing this understanding, regulatory agencies and examiners alike can adopt assistance and informa Ɵ on gathering approaches that inform as necessary without causing undue interference in remedia Ɵ on and recovery e ff orts occurring within the ins Ɵ tu Ɵ on. Notes On This Exercise The scenario contained in this document is tailored speci fi cally around a ransomware incident a ff ec Ɵ ng a large nonbank fi nancial ins Ɵ tu Ɵ on. Although incident response concepts are similar from ins Ɵ tu Ɵ on to ins Ɵ tu Ɵ on, speci fi c responses and ac Ɵ vi Ɵ es may vary based on a number of factors, including size, complexity, the type of en Ɵ ty involved, and the geographic footprint of the en Ɵ ty. Moreover, some ins Ɵ tu Ɵ ons may be exempted from requirements for a wri Ʃ en incident response plan under the FTC Safeguards Rule. However, during an examina Ɵ on, examiners should be able to determine, through conversa Ɵ ons with management, that the en Ɵ ty is su ffi ciently prepared to respond to cyber incidents most likely to a ff ect them regardless of any requirements or exemp Ɵ ons from preparing a wri Ʃ en plan. This exercise is intended to give par Ɵ cipants a general fl avor for the ac Ɵ vi Ɵ es performed by the ins Ɵ tu Ɵ on during a ransomware incident and is designed to generally be completed in 2 ‐ 3 hours. However, due to its length, it is not intended to represent every possible scenario, nor every relevant control applica Ɵ on or policy considera Ɵ on for all en ƟƟ es. Although this exercise focuses speci fi cally on a ransomware event, some of the processes and procedures contained herein are also relevant for educa Ɵ ng examiners on responses to other signi fi cant event types, such as business email compromise, unauthorized access to systems, and SQL injec Ɵ on a Ʃ acks.

3