Cyber & IT Supervisory Forum - November 2023

Ransomware Exercise Scenario 1 Ins Ɵ tu Ɵ on Background:

Acme Mortgage Subservicer is a major player in the mortgage industry specializing in sub ‐ servicing opera Ɵ ons for some of the largest mortgage companies in the country. Headquartered in Dallas, Texas, the company has a workforce of 950 employees, primarily comprised of loan servicing specialists, compliance o ffi cers, IT professionals, customer service representa Ɵ ves, and administra Ɵ ve sta ff .

Opera Ɵ ons Conducted by Acme Mortgage Subservicer:

 Loan Onboarding: The process of onboarding loans for various clients.  Payment Processing: Handling and processing mortgage payments, including escrow management and disbursements.  Customer Service: Addressing borrower ques Ɵ ons, concerns, and providing support.  Loss Mi Ɵ ga Ɵ on and Investor Repor Ɵ ng: performing loss mi Ɵ ga Ɵ on on delinquent and defaulted loans, remi ƫ ng funds to investors, performing all necessary investor repor Ɵ ng.  Data Security: Safeguarding sensi Ɵ ve borrower informa Ɵ on and transac Ɵ on records. Acme Mortgage Subservicer's Client Base:  Mortgage Companies: The sub ‐ servicer works with some of the largest mortgage companies na Ɵ onwide, manages a substan Ɵ al por Ɵ on of their por ƞ olios, and is responsible for customer ‐ facing administra Ɵ on of loans.  Borrowers: The consumers who have mortgages with the client companies and rely on Acme for various services in connec Ɵ on with their mortgage. INJECT 1 : Monday, 10:00 am, June 6: Law enforcement, CISA, and the Financial Services Informa Ɵ on Sharing and Analysis Center (FS ‐ ISAC) are ac Ɵ vely tracking a spike in reports from fi nancial ins Ɵ tu Ɵ ons indica Ɵ ng increased malicious cyber ac Ɵ vity, including one par Ɵ cularly ac Ɵ ve ransomware strain that appears to be targe Ɵ ng the fi nancial sector (i.e., banks, credit unions, mortgage companies and other NDI en ƟƟ es). No Ɵ fi ca Ɵ ons of this anomalous ac Ɵ vity have been disseminated by various credible public and government sources to all members of the fi nancial sector this morning as reports of fi nancial sector vic Ɵ ms con Ɵ nue to emerge, including some opera Ɵ ng within Acme’s home o ffi ce footprint.

1 This exercise depicts an event at a large en Ɵ ty. Please note that some en ƟƟ es may be exempt from wri Ʃ en IR plan requirements under the Safeguards Rule. In such cases, you should be able to determine, through discussions with management, that the en Ɵ ty is prepared to address security incidents, regardless of any Safeguards Rule exemp Ɵ ons. Incident response procedures are cri Ɵ cal for ALL en ƟƟ es, regardless of size or regulatory requirements.

5