Cyber & IT Supervisory Forum - November 2023

Internal Use Only

R ‐ SAT v. 2.0: Question 4

NEW: Added phrase “Check all that apply” based on feedback that some institutions were not clearly identifying services that were processed or managed both internally and through outsourcing. Added “Cloud ‐ Based” column to identify which of the listed services are cloud ‐ based. Provided simple examples of “Other Critical Services” for reference.

7

Internal Use Only

R ‐ SAT v. 2.0: Questions 5 & 6

NEW: New question. Intended to identify and raise awareness of potential privacy regulations for any services based in foreign jurisdictions.

NEW: Added narrative to request documentation of any vendors not having ransomware ‐ specific preventative controls in place. Added “at least annually” language to question addressing frequency of independent third ‐ party vendor control audits.

8