Alston & Bird Privacy Blog

State Financial Regulators Issue Ransomware Mitigation Tool

By , and

On October 13, 2020, state financial regulators in partnership with the Bankers Electronic Crimes Taskforce and the U.S. Secret Service, released the Ransomware Self-Assessment Tool (R-SAT) to help financial institutions mitigate the risks of ransomware.  The R-SAT is a detailed questionnaire designed to evaluate the effectiveness of an institution’s general security controls as well as to assist its executive management and the board of director in identifying, responding, and recovering from a ransomware attack.  For example, the R-SAT includes questions regarding:

  •  Adherence to a comprehensive set of security control frameworks (such as CIS Controls, COBIT, ISO, NIST, or PCI-DSS);
  • Performance of a gap assessment against that security framework;
  • Presence of a valid cyber policy that addresses ransomware;
  • Identification of information resources; and
  • Third-party vendor access controls.

For banks, the R-SAT is not simply general guidance that may result in additional regulatory inquiry.  State banking commissioners across the country are releasing this tool to their institutions, which means that these questions could be asked in the process of regulatory oversight.  In particular, the Texas Division of Banks stated that it will contact institutions in the first half of 2021 to “discuss [the institution’s] progress in implementing ransomware mitigation as well as all aspects of the R-SAT.”  It also noted that information technology examinations scheduled in the first half of 2021 will include a review of the financial institution’s completed R-SAT.

With this release, state financial regulators remind financial institutions to be vigilant against increasingly sophisticated ransomware attacks. Regulators also remind financial institutions that paying a ransom could expose financial institutions (and incident response consultants) to civil penalties if the payment is made to a cybercriminal sanctioned by Treasury’s Office of Foreign Assets Control (OFAC) (Alston recently covered OFAC’s ransomware advisory here).

Although “there is no single measure to prevent ransomware attacks,” state financial regulators stress that strong backup practices and the use of multi-factor authentication are two of the most important. In many respects, the R-SAT continues to affirm good cyber hygiene in accordance with existing cybersecurity frameworks and industry best practices.

For further information, please contact the Alston & Bird Privacy & Data Security Team.

 

Kimberly Peretti

About Kimberly Peretti

Kim is a former DOJ cybercrime prosecutor and former director of PwC’s cyber forensics group. She has over 20 years of experience in cybercrime, data breach response, and cybersecurity and delivers top-of-the-line cyber risk management and information security counsel to her clients. Kim is co-lead of our Cybersecurity Preparedness & Response Team.

[Read Bio]

Amy Mushahwar

About Amy Mushahwar

Amy Mushahwar is a partner on the Privacy & Data Security and Cybersecurity Preparedness & Response teams. Amy has over 20 years of experience in the technology space and focuses her practice on data security, cyber risk, privacy, and emerging technologies. She advises clients on proactive data security practices, data breach incident response, and regulatory compliance.

[Read Bio]

Alysa Austin

About Alysa Austin

Alysa Austin is an associate with the Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]