Ransomware attacks and the costs to get businesses back up and running continue to increase. The hasty expansion of the remote workforce due to the COVID-19 pandemic only makes matters worse.
Ransomware is the third most common malware breach and the second most common malware incident type, according to the 2020 Verizon Data Breach Investigation Report.
According to the cybersecurity news service MSSP Alert, total ransomware costs (including a 16-day average downtime) will run between $2.3 billion and $9.3 billion in the US this year, with the average payment nearly doubling to $84,000. And these costs continue to rise.
No matter the industry or the geographic location, the threat of a ransomware attack is constant and highly credible. Understanding the maturity of your ransomware risk mitigation efforts must be a top priority as organizations evolve cyber-resilience programs. Postponing serious planning until next year’s budget is finalized could be a recipe for disaster.
Taking an inventory of financial institutions’ ransomware mitigation efforts and gaps in existing processes has become such a priority that the Conference of State Bank Supervisors (CSBS), the Secret Service, and the Bankers Electronic Crimes Taskforce (BECTF) released the Ransomware – Self-Assessment Tool (R-SAT) on October 13, 2020, to help organizations assess their state of preparedness.
Purpose of the R-SAT
The R-SAT is composed of 16 questions designed to reduce ransomware risk and to supply an overview of the institutions’ ability to identify, protect, detect, respond to, and recover from a ransomware attack.
The tool is meant to develop a more informed understanding of the level of resiliency your control environment provides in defense of ransomware attacks. Completion of the R-SAT will highlight weaknesses in your control environment and trigger necessary efforts to reduce the level of risk to an acceptable level.
This isn’t a risk assessment that will provide insight into your overall risk profile, it’s simply a control evaluation that will help identify any glaring holes that may require more formalization to give your organization a practical level of comfort.
Although not comprehensive, completion of the R-SAT provides executive management and the board of directors with an informed understanding of the organization’s ransomware resiliency posture and areas where improvements can be made.
A Necessary Option
The R-SAT was developed for financial institutions to complete as an optional resource. But don’t let the word “optional” mislead you into thinking it’s a choice. Expect to provide the completed R-SAT with the date reviewed by the board for your next exam.
Management may need to gather accurate and timely information within the institution. And due to the mild technical complexity of the questions, in addition to the dependency on vendors and third-party service providers, management may want support in answering specific questions.
Question #3 of the R-SAT asks, “Is the institution covered by a cyber-insurance policy that covers ransomware?”
The answer would take a review of the scope of your existing coverage to identify a potential gap or exclusion of ransomware. In addition to reviewing the coverage, verification of these details would likely require confirmation with your insurance carrier.
Who Gets the Results?
Upon completion, the expectation is that the board of directors will be kept informed of the results and be regularly updated as issues are resolved.
Completion and ongoing maintenance of the tool will allow you to paint a picture of your ransomware resiliency effectiveness allowing executive management and the board to make more informed strategic decisions.
At minimum, the results of the R-SAT and the status of ongoing activities should be included in the annual information security report to the board.
A Beginning, Not an End
The good news is that as a heavily regulated financial institution, many of the controls outlined in the R-SAT have been addressed already in one form or another within your organization through alignment with existing control frameworks and regulatory requirements.
The controls identified within the R-SAT are easy to understand in most cases. However, there are a few that might require more technical resources. The ability to effectively communicate the results of the R-SAT to senior management and the board of directors is the objective of this assessment and the content mostly aligns with this intent.
There’s no one-size-fits-all ransomware resiliency checklist. While the R-SAT aligns with industry best practices, some organizations may feel the prescribed controls are overkill, while others may feel they aren’t enough.
This tool also doesn’t provide the ability to determine inherent and residual risk of a successful ransomware attack, which would be helpful to determine how much effort and resources should be dedicated to the remediation of identified control gaps. However, the R-SAT is extremely useful and the inherent shortcomings shouldn’t deter you from adopting it.
Quality In, Quality Out
Completing the R-SAT is only as good as the effort your organization is willing to put into it. The level of effort to ensure completeness and accuracy of the assessment directly correlates to the value you’ll receive from the output.
This is an “optional” resource, but state regulators will expect to see a complete and accurate R-SAT with action plans in place to address identified gaps.
Ransomware attacks will continue to increase in frequency and sophistication if organizations fail to proactively develop appropriate controls to reduce or eliminate the impact of an attack and persist in reactively paying out ransom demands.
Every time a ransom is paid, the bad guys are incentivized to continue investing in resources to conduct attacks and evolve attack vectors. The best way for you to protect yourself and the cyberworld we all share is to take the appropriate measures to decrease the effectiveness of ransomware attacks through sound control implementation.
While the R-SAT isn’t the ultimate solution to defending against ransomware attacks, adopting it will provide valuable direction on your journey. The R-SAT will help you get the upper hand on the bad guys as well as keep you in the good graces of your regulators.
Learn more about preventing ransomware attacks and other cybersecurity tips at Jack Henry’s Cybersecurity Resource Center.