Cyber & IT Supervisory Forum - November 2023

‐ Impact:

 Inaccessible User Data: Borrower informa Ɵ on, including payment histories and contact details, remains inaccessible.

 Communica Ɵ on Infrastructure: ‐ Overview: The email server, essen Ɵ al for internal and external correspondence, including vendors that support mul Ɵ ple aspects of the sub ‐ servicing work. ‐ Impact:  Customer Service Issues: The company’s ability to respond to borrower inquiries about their loans and accounts is currently unavailable.  Communica Ɵ on Interrup Ɵ on: Email and messaging, both internal and external, is compromised. This prevents communica Ɵ on between the regional servicing facili Ɵ es and the home o ffi ce.  Document Repository: ‐ Overview: The system for securely storing and retrieving essen Ɵ al documents related to client por ƞ olios. ‐ Impact:  Inaccessible Document Data: Essen Ɵ al client documents and records remain inaccessible. IT sta ff has conferred with senior management and the Board, and it has been decided that ac Ɵ va Ɵ on of the incident response plan is warranted. IT sta ff begin to take steps to immediately take the company’s network o ffl ine to try and contain the spread of ransomware. The company’s opera Ɵ on, including the regional o ffi ces, has now e ff ec Ɵ vely been brought to a stands Ɵ ll. 1.) Now that ransomware has been iden Ɵ fi ed within the organiza Ɵ on, what are some of the ini Ɵ al technical and administra Ɵ ve steps the organiza Ɵ on should be taking to address the incident? Now we are ge ƫ ng into the heart of the organiza Ɵ on’s response to the incident. There are many poten Ɵ al steps in this process, and the order in which these steps should be taken will vary somewhat from organiza Ɵ on to organiza Ɵ on. In general, the way an organiza Ɵ on reacts to an incident follows some sort of logical order. And, of course, these logical steps would ideally be contained in the wri Ʃ en incident response plan. This is important since, as we men Ɵ oned, chaos o Ō en reigns at all levels of the organiza Ɵ on when something goes wrong. We might think of these steps in discrete subsec Ɵ ons, the fi rst addressing how the organiza Ɵ on ini Ɵ ally takes steps to “stop the bleeding” once an incident occurs. These steps generally involve the following: INCIDENT RESPONSE:

14