Cyber & IT Supervisory Forum - November 2023

Internal Use Only

R ‐ SAT v. 2.0: Question 19

NEW: New question. Identification of any third parties to be engaged. New question. Does the institution or does the institution require third parties, including insurance companies, to promptly engage with law enforcement? New question. Are any third parties pre ‐ approved by the bank’s cyber insurance provider?

23

Internal Use Only

R ‐ SAT v. 2.0: Question 20

NEW: Added consideration for providing refresher training as necessary to employees.

24