What does "Updated Nonbank Ransomware Self-Assessment Tool (R-SAT)" cover?

The Colorado Division of Banking released an updated Ransomware Self-Assessment Tool (R-SAT) to help financial institutions evaluate their cybersecurity…

Which agency issued this update?

This update was issued by Colorado Division of Banking.

Ransomware Self-Assessment Tool (R-SAT)

October 24, 2023 Version 2.0

Developed in collaboration with the Bankers Electronic Crimes Task Force, State Bank Regulators, and the United States Secret Service

Purpose

The Bankers Electronic Crimes Taskforce (BECTF), state bank regulators, and the United States Secret Service collaborated to develop this tool to help financial institutions periodically assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. This document provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding, and recovering from a ransomware attack. It may also assist other third parties (such as auditors, security consultants and regulators) that might review your institution’s security practices.

Ransomware is a type of malicious software (malware) that encrypts data on a computer, making it difficult or impossible to recover. Attackers usually offer to provide a decryption key after a ransom is paid; however, these keys may not work (if they are provided at all), which could make the financial institution’s critical records unavailable. In addition, attackers may utilize extortion tactics to threaten the institution with public disclosure of exfiltrated customer or company information if the ransom is not paid. However, financial institutions choosing to pay ransoms, as well as companies that facilitate ransom payments to cyber actors on behalf of victims, including cyber insurance firms and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but may also violate OFAC regulations.

Completing the Ransomware Self-Assessment Tool (R-SAT)

The R-SAT is derived from the BECTF’s Best Practices for Banks: Reducing the Risk of Ransomware. Those best practices have been updated in the R-SAT to address today’s environment. Due to the sophistication of ransomware, some areas in the R-SAT are mildly technical. You may wish to ask your institution’s vendors and third-party service providers to complete some questions. Finally, due to the potential sensitivity of information contained in the R-SAT, institutions are cautioned to exercise due care to protect against unauthorized access or disclosure of the completed document outside of the institution.

Preparer Information

Please provide the following information regarding the preparer of this document.

Name and Title:	Email and Phone Number:

Institution Name:	Date Completed:

Date Reviewed by Board:

IDENTIFY/PROTECT

Has the institution implemented a comprehensive set of controls designed to mitigate cyber-attacks (e.g., FFIEC CAT, CIS Critical Security Controls, NIST Cybersecurity Framework)?
- YES [ ] NO
If so, what standard(s) or framework(s) (if any) are used to guide cybersecurity control implementation? Check all that apply.

Note: State bank regulators do not endorse any specific standard or framework.
- AICPA SOC
- CIS Critical Security Controls
- COBIT
- CRI Profile
- FFIEC CAT
- International Organization for Standardization (ISO)
- NIST Cybersecurity Framework
- PCI DSS
- Other ____________________
Has a gap analysis been performed to identify controls that have not been implemented but are recommended in the standards and frameworks that the institution uses?
- YES [ ] NO
If yes, has the gap analysis been reviewed by the board, senior management, and, if applicable, the technology committee?
- YES [ ] NO
Does the institution have a cyber insurance policy(s) that includes ransomware coverage? If yes, please provide the name of the insurer(s).
- YES [ ] NO
Provide the name of the insurer(s).

If yes, does the policy(s) collectively provide any of the following services? Check all that apply.
- Data retention services
- Breach response
- Cyber extortion assistance
- Data loss (hardware replacement)
- Third-party coverage
- Regulatory penalties assistance
- Legal expenses
- Forensic services
- Negotiating/facilitating ransom payments
- Customer notification assistance
- Customer call center services
- Management of public relations
- Customer credit monitoring
Indicate if the following systems or activities are processed or performed internally, are outsourced to a third party, such as vendors that specialize in core services or provide network administration (a/k/a managed service providers (MSPs)), or a combination of the two. In addition, please identify any services that are based in a cloud environment. Check all that apply.

	Cloud-Based	In-House	Outsourced
Core Processing	[ ]	[ ]	[ ]
Network Administration	[ ]	[ ]	[ ]
Email Service	[ ]	[ ]	[ ]
File Imaging (Checks, Loans, etc.)	[ ]	[ ]	[ ]
Trust Services	[ ]	[ ]	[ ]
Mortgage Loans	[ ]	[ ]	[ ]
Investments (Bonds, Stocks, etc.)	[ ]	[ ]	[ ]
Other Critical Services *
(Please list below):
	[ ]	[ ]	[ ]
	[ ]	[ ]	[ ]
	[ ]	[ ]	[ ]
	[ ]	[ ]	[ ]
	[ ]	[ ]	[ ]

Services such as data storage, wire transfer, payroll systems, general ledger, other customer facing applications, etc.

Is any of the data identified in the previous question housed in a location(s) outside of the United States?
- YES [ ] NO
If yes, has management discussed any applicable privacy regulations in those foreign jurisdictions, such as GDPR, PIPEDA, etc.?
- YES [ ] NO
Do any third-party vendors (including any MSPs) have continuous or intermittent remote access to the network?
- YES [ ] NO
If yes, explain the different types of access methods used, such as remote scripting, screen sharing, VPN, etc.

If yes, do all of these vendors implement controls to prevent ransomware and threat actors from moving from their network to the institution’s network via the access methods noted above?
- YES [ ] NO
Describe applicable vendor-implemented controls below. In addition, identify below which vendors do not have such controls in place.

As part of the institution’s vendor management process, do all third-party vendors with remote access to the network provide, at least annually, an independent audit that confirms these controls are in place?
- YES [ ] NO
Do risk assessments include ransomware and extortion as a threat?
- YES [ ] NO
If yes, are common potential attack vectors, such as phishing, watering holes, malicious ads, third-party apps, attached files, and unpatched vulnerabilities, identified?
- YES [ ] NO
Have all ransomware risks and threats identified in risk assessments been appropriately remedied or mitigated to an acceptable risk level?
- YES [ ] NO
If no, identify any unmitigated risks below.
Are all employees periodically provided information on emerging ransomware threats via branch meetings, emails from IT security personnel, etc.?
- YES [ ] NO
At what frequency is formal employee security awareness training (classroom training, web-based training, self-paced learning, etc.) provided to employees?
- Annually
- Semi-annually
- Quarterly
- Monthly
- Other __________________________________________________________
Indicate which of the following, if any, are included as part of employee security awareness training programs. Check all that apply.
- Social engineering and phishing testing
- Ransomware and extortion
- Incident identification and reporting
- Acceptable use policy training and written employee acknowledgement
Does the institution perform phishing test exercises (at least quarterly) to measure employee vigilance and awareness of phishing threats?
- YES [ ] NO
If yes, are metrics from phishing test exercises used by management to evaluate training effectiveness and guide additional employee training efforts?
- YES [ ] NO
Which of the following controls have been implemented for backing up data for core processing, network administration, and other critical services? Check all that apply and provide explanations where needed in the comment box below.

Controls	Core Processing	Network Admin	Data Type	Data Type	Data Type
a) Procedures are in place to prevent backups from being affected by ransomware and extortion.	[ ]	[ ]	[ ]	[ ]	[ ]
b) Access to backups requires an authentication method(s) that differs from the network method.	[ ]	[ ]	[ ]	[ ]	[ ]
c) At least daily full system (vs incremental) backups are made.	[ ]	[ ]	[ ]	[ ]	[ ]
d) At least two different backup copies are maintained, stored on different media, and stored separately.	[ ]	[ ]	[ ]	[ ]	[ ]
e) At least one backup is offline (air gapped) and/or immutable.	[ ]	[ ]	[ ]	[ ]	[ ]
f) Procedures allow immediate off-network restoration (i.e., cold site, warm site, hot site).	[ ]	[ ]	[ ]	[ ]	[ ]
g) Backup testing is conducted at least annually.	[ ]	[ ]	[ ]	[ ]	[ ]
h) Procedures are in place to validate the sterility of data backups prior to restoration.	[ ]	[ ]	[ ]	[ ]	[ ]

Describe backup controls:

Has multi-factor authentication (MFA) been implemented in the institution?
- YES [ ] NO
If yes, does the institution rely on stronger application-based or phishing-resistant authentication methods?
- YES [ ] NO
Please indicate where/how MFA is used. Check all that apply.
- For privileged access management (PAM) (domain administrative access, application administrative access, etc.)
- By all users that access any cloud-based service (mortgage origination, HR platforms, etc.)
- For cloud email services, such as Microsoft 365 and others
- For access to external applications hosting non-public information (NPI)
- For VPN/Remote Desktop (RDP) access into the network
- For vendor access into the network
- For internal service accounts
- For customers accessing NPI (eBanking services, remote deposit capture, etc.)
- Other:
If there are any specific areas the institution has identified where the implementation of MFA is not planned or has been deferred to a later date, please identify below.
Indicate which of the following additional preventative controls have been implemented. Check all that apply.
- Have implemented change management and patch management procedures
- Have disabled Remote Desktop Protocol (RDP) or restricted access
- Have eliminated administrative access to endpoints, workstations, and network resources for all but network support personnel
- Have implemented technical and administrative controls to manage the use of removeable media
- Have implemented configuration procedures to change default settings
- Have adopted “least privileged access” concept
- Have established a process for provisioning and reviewing Active Directory access
- Have implemented procedures governing the resetting or replacement of authentication credentials
- Have implemented a jump box or administrative VLAN
- Have disabled all unnecessary browser or email client plugins
- Have implemented a domain-based message authentication, reporting, and conformance (DMARC) policy
- Have maintained and enforced network-based URL and DNS filtering
- Have intrusion detection systems (IDS) and intrusion prevention systems (IPS)
- Have implemented network segmentation and/or micro-segmentation
- Have implemented behavior-based malware prevention tool(s)
Are ransomware scenarios specifically included as part of annual testing of the Incident Response Plan?
- YES [ ] NO
Does executive management participate in annual testing of the Incident Response Plan?
- YES [ ] NO
Do appropriate C-suite representatives actively participate in annual testing of the Incident Response Plan?
- YES [ ] NO

DETECT

Indicate which of the following monitoring practices are utilized for servers, backup systems, workstations, networks, and other endpoints. Check all that apply.
- Data Loss Prevention Program (with MFA and real-time alerts)
- Blocking and alerts of executable files attempting to connect to the Internet
- Alerts to changes in privileged access rights
- Active monitoring of network management tools used on workstations (WMI, PsExec, etc.)
- Detection of suspicious file extensions
- Detection of large amounts of file renaming
- None of the above.

RESPOND

Does the Incident Response Plan identify a person (internal or third-party) with the expertise to manage/coordinate all aspects of a ransomware response?
- YES [ ] NO
Indicate which of the following ransomware response procedures are included in the Incident Response Plan. Check all that apply.
- Designate an individual to monitor social media and news sources
- Prevent or isolate the ransomware from spreading
- Notify incident response stakeholders
- Immediately contact federal law enforcement
- Grant authority to shut down a third party’s access
- Implement “out-of-band” communications procedures
- Mitigate all exploited vulnerabilities
- Perform threat hunting
- Immediately notify legal counsel and cyber insurance company
- Implement alternative strategies for connecting to critical third-party vendors
- Determine the scope of the infection
- Establish escalation processes for Business Continuity/Disaster Recovery Plan
- Discuss ransom payment with the board (with OFAC awareness)
- Establish procedures to preserve forensic information and audit logs
- Restore systems/data if necessary
- Contact federal/state regulators
- Prepare communications document for internal staff
- Determine the cause of the incident
- Periodically update contact information
- Notify affected employees, customers, and/or vendors
- Notify and brief incident stakeholders
- Other
Has the institution identified any third parties to be engaged in the event of a successful ransomware or extortion attack?
- YES [ ] NO
If yes, do prearranged service contracts or contact information exist?
- YES [ ] NO
If yes, do you require these third parties to promptly engage with law enforcement?
- YES [ ] NO
Are any such third parties pre-approved by the bank’s cyber insurance provider?
- YES [ ] NO

RECOVER

Which of the following are included in procedures for returning to normal operations? Check all that apply.
- User testing after restoration
- After action review to identify lessons learned
- Updating the Incident Response Plan
- Providing refresher training to employee(s)
- Notifying stakeholders
- Other

COMMENTS (Optional)

APPENDIX A: IDENTIFY/PROTECT (Controls for Data Backup)

Use for additional critical services not listed in Question 12.

Controls	Data Type	Data Type	Data Type	Data Type	Data Type
a) Procedures are in place to prevent backups from being affected by ransomware.	[ ]	[ ]	[ ]	[ ]	[ ]
b) Access to backups requires authentication differing from network method.	[ ]	[ ]	[ ]	[ ]	[ ]
c) At least daily full system (vs incremental) backups are made.	[ ]	[ ]	[ ]	[ ]	[ ]
d) At least two different backup copies are maintained and stored separately.	[ ]	[ ]	[ ]	[ ]	[ ]
e) At least one backup is offline (air gapped) and/or immutable.	[ ]	[ ]	[ ]	[ ]	[ ]
f) Procedures allow immediate off-network restoration.	[ ]	[ ]	[ ]	[ ]	[ ]
g) Backup testing is conducted at least annually.	[ ]	[ ]	[ ]	[ ]	[ ]
h) Procedures are in place to validate the sterility of data backups.	[ ]	[ ]	[ ]	[ ]	[ ]