Cyber & IT Supervisory Forum - November 2023

Introduc Ɵ on CSBS has developed this Large Nonbank Ins Ɵ tu Ɵ on Ransomware Tabletop Exercise to help examiners further their knowledge of the challenges faced by licensed en ƟƟ es dealing with a ransomware incident. By comple Ɵ ng this scenario ‐ based exercise, par Ɵ cipants will develop a be Ʃ er understanding of the incident response lifecycle, including:

 Threat intelligence gathering and dissemina Ɵ on;  Components of the incident response plan, including: o Ac Ɵ va Ɵ on of the plan

o Coordina Ɵ on of incident response individuals and teams o Evalua Ɵ on of the incident and remedia Ɵ on o Communica Ɵ on with internal and external par Ɵ es; and

 Post ‐ incident ac Ɵ vi Ɵ es

Ransomware presents a signi fi cant threat to fi nancial ins Ɵ tu Ɵ ons of all sizes and types. Due to the poten Ɵ al severity of a ransomware a Ʃ ack, it is cri Ɵ cal that ins Ɵ tu Ɵ ons are su ffi ciently prepared to iden Ɵ fy and respond to threats. However, it is also important for examiners to have a working knowledge of what is occurring in a fi nancial ins Ɵ tu Ɵ on during an a Ʃ ack. By developing this understanding, regulatory agencies and examiners alike can adopt assistance and informa Ɵ on gathering approaches that inform as necessary without causing undue interference in remedia Ɵ on and recovery e ff orts occurring within the ins Ɵ tu Ɵ on. Notes On This Exercise The scenario contained in this document is tailored speci fi cally around a ransomware incident a ff ec Ɵ ng a large nonbank fi nancial ins Ɵ tu Ɵ on. Although incident response concepts are similar from ins Ɵ tu Ɵ on to ins Ɵ tu Ɵ on, speci fi c responses and ac Ɵ vi Ɵ es may vary based on a number of factors, including size, complexity, the type of en Ɵ ty involved, and the geographic footprint of the en Ɵ ty. Moreover, some ins Ɵ tu Ɵ ons may be exempted from requirements for a wri Ʃ en incident response plan under the FTC Safeguards Rule. However, during an examina Ɵ on, examiners should be able to determine, through conversa Ɵ ons with management, that the en Ɵ ty is su ffi ciently prepared to respond to cyber incidents most likely to a ff ect them regardless of any requirements or exemp Ɵ ons from preparing a wri Ʃ en plan. This exercise is intended to give par Ɵ cipants a general fl avor for the ac Ɵ vi Ɵ es performed by the ins Ɵ tu Ɵ on during a ransomware incident and is designed to generally be completed in 2 ‐ 3 hours. However, due to its length, it is not intended to represent every possible scenario, nor every relevant control applica Ɵ on or policy considera Ɵ on for all en ƟƟ es. Although this exercise focuses speci fi cally on a ransomware event, some of the processes and procedures contained herein are also relevant for educa Ɵ ng examiners on responses to other signi fi cant event types, such as business email compromise, unauthorized access to systems, and SQL injec Ɵ on a Ʃ acks.

3