• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

State Financial Regulators Issue Ransomware Mitigation Tool

October 16, 2020 By Kim Peretti, Amy Mushahwar and Alysa Austin

On October 13, 2020, state financial regulators in partnership with the Bankers Electronic Crimes Taskforce and the U.S. Secret Service, released the Ransomware Self-Assessment Tool (R-SAT) to help financial institutions mitigate the risks of ransomware.  The R-SAT is a detailed questionnaire designed to evaluate the effectiveness of an institution’s general security controls as well as to assist its executive management and the board of director in identifying, responding, and recovering from a ransomware attack.  For example, the R-SAT includes questions regarding:

  •  Adherence to a comprehensive set of security control frameworks (such as CIS Controls, COBIT, ISO, NIST, or PCI-DSS);
  • Performance of a gap assessment against that security framework;
  • Presence of a valid cyber policy that addresses ransomware;
  • Identification of information resources; and
  • Third-party vendor access controls.

For banks, the R-SAT is not simply general guidance that may result in additional regulatory inquiry.  State banking commissioners across the country are releasing this tool to their institutions, which means that these questions could be asked in the process of regulatory oversight.  In particular, the Texas Division of Banks stated that it will contact institutions in the first half of 2021 to “discuss [the institution’s] progress in implementing ransomware mitigation as well as all aspects of the R-SAT.”  It also noted that information technology examinations scheduled in the first half of 2021 will include a review of the financial institution’s completed R-SAT.

With this release, state financial regulators remind financial institutions to be vigilant against increasingly sophisticated ransomware attacks. Regulators also remind financial institutions that paying a ransom could expose financial institutions (and incident response consultants) to civil penalties if the payment is made to a cybercriminal sanctioned by Treasury’s Office of Foreign Assets Control (OFAC) (Alston recently covered OFAC’s ransomware advisory here).

Although “there is no single measure to prevent ransomware attacks,” state financial regulators stress that strong backup practices and the use of multi-factor authentication are two of the most important. In many respects, the R-SAT continues to affirm good cyber hygiene in accordance with existing cybersecurity frameworks and industry best practices.

For further information, please contact the Alston & Bird Privacy & Data Security Team.

 

Filed Under: Cyber Risk, Cybercrime, Cybersecurity, Data Breach, Data Protection, Data Security, Digital Crimes, Enforcement, Financial Privacy, Privacy

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Amy Mushahwar

Amy Mushahwar is a partner with Alston & Bird’s Privacy, Cyber & Data Strategy Team. Amy has over 20 years of experience in the technology space and focuses her practice on data security, cyber risk, privacy, and emerging technologies. She advises clients on proactive data security practices, data breach incident response, and regulatory compliance.

[Read Bio]

About Alysa Austin

Alysa Austin is an associate with Alston & Bird’s Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.