Cyber & IT Supervisory Forum - November 2023

Internal Use Only

Inject 2: Incident Response Monday, 2:45pm, June 6: A loan servicing specialist receives an encrypted email from a borrower claiming to have issues making a payment on their mortgage. The email does not clearly reference a specific customer account, but the loan servicing specialist believes it is legitimate and opens the email and enters their Office365 credentials when prompted. Within minutes, ransom screens appear on company computers and departments throughout the company’s headquarters are unable to access their network. Staff in the regional servicing facilities report issues using shared applications and have trouble connecting to HQ. The systems needed to perform critical daily functions are nonfunctioning or are now performing erratically.

15

Internal Use Only

Inject 2: Incident Response continued Monday, 2:45pm, June 6: IT staff has conferred with senior management and the Board, and it has been decided that activation of the incident response plan is warranted. IT staff begin to take steps to immediately take the company’s network offline to try and contain the spread of ransomware. The company’s operation, including the regional offices, has now effectively been brought to a standstill.

16