Cyber & IT Supervisory Forum - November 2023

APPENDIX: OPTIONAL State Regulator Exam (Exercise Facilitator’s Key)

Your agency has joined a mul Ɵ‐ state examina Ɵ on of Acme Mortgage Subservicer in the a Ō ermath of the ransomware a Ʃ ack. The examina Ɵ on is scheduled to be onsite on October 2nd, approximately 120 days a Ō er the incident occurred. The exam will evaluate the company's response to the incident and assess the implementa Ɵ on of safeguards to protect against future a Ʃ acks. In addi Ɵ on, the exam team will review compliance with state (and federal) laws regarding data breach incidents. ** This sec Ɵ on is designed to be used as a conclusion to the primary exercise and asks regulatory par Ɵ cipants to shi Ō their focus from the company’s perspec Ɵ ve to that of a regulatory examiner. As this sec Ɵ on builds upon the principles contained in the previous por Ɵ on of the exercise, this sec Ɵ on is less detailed and provides some speci fi c considera Ɵ ons for examiners interac Ɵ ng with a company in the immediate a Ō ermath of an incident. As we have discovered in the exercise, there are a lot of moving parts that an en Ɵ ty must juggle during an ac Ɵ ve incident. As regulatory en ƟƟ es and fi eld examiners, it is helpful to understand what an impacted en Ɵ ty must deal with, from gathering and distribu Ɵ ng ini Ɵ al threat intelligence, to rallying resources to respond to the ini Ɵ al moments and hours of an a Ʃ ack, to communica Ɵ ng with necessary par Ɵ es, to revisi Ɵ ng the “good and bad” of response e ff orts in the a Ō er ‐ incident analysis. As regulatory agencies, we want to assist the en Ɵ ty in any way that is prac Ɵ cal but, realis Ɵ cally, our boots on the ground ac Ɵ ons are limited during an ongoing incident. Understanding the chaos that is created during an event also helps us to understand our own needed level of involvement during an incident. It is incredibly easy for regulators, even with the best of inten Ɵ ons, to create a distrac Ɵ on for an en Ɵ ty that may be fran Ɵ cally bailing water from a rapidly sinking ship. There is certainly informa Ɵ on that regulators need to know, and it is the duty of the licensee to provide that informa Ɵ on to us in a Ɵ mely manner. However, we must be aware of the limita Ɵ ons and Ɵ ming of available informa Ɵ on, and we must seek to avoid complica Ɵ ng recovery e ff orts where possible. The line between being informed and being an unnecessary distrac Ɵ on is o Ō en very thin. Much like loans are scru Ɵ nized in an en Ɵ ty with loan quality or admin problems, when an exam team goes onsite in the wake of an incident there are certain areas that will warrant addi Ɵ onal a Ʃ en Ɵ on from exam teams. In the previous sec Ɵ ons of this exercise, we have looked at some of the basic considera Ɵ ons that the en Ɵ ty will need to implement. A por Ɵ on of your focus as an examiner will be to speci fi cally assess how the en Ɵ ty (a.) handled the incident, (b.) changed their plan and processes in the a Ō ermath of the incident, and (c.) is prepared to handle incidents in going forward. Basic areas of focus in the follow ‐ up exam include, but are not limited to: a. Response to the Incident and A Ō er ‐ Incident Documenta Ɵ on: This considera Ɵ on looks at how the en Ɵ ty actually managed its own e ff orts during the incident. Management should

22