Both the State banking regulators and the Treasury Department have issued recent advisories to financial institutions regarding the ransomware threat. Ransomware is defined as a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs, in order to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities affiliated or associated with the financial institution.
US Department of the Treasury
First, the Treasury, via the Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”), issued a pair of advisories in early October. FinCEN provided general information about the threat of ransomware and the existing requirements for filing Suspicious Activity Reports (SAR’s) for any ransomware payments conducted by, at, or through the financial institution. Because most ransomware demands involve bitcoin (also referred to as “convertible virtual currency” or CVC), conversion of the bitcoin into funds and transmitted via the ACH, wire, or credit card networks, institutions facilitating the transactions may run afoul of anti-money laundering and/or anti-terrorism laws.
In a related advisory, OFAC reminded institutions of the risks (i.e. sanctions and financial penalties) associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities. Taken together, the two advisories discourage financial institutions from participating in transactions involving ransomware payments. Although this may seem like common sense, the increasing use of cyber insurance to control the financial risks of ransomware may remove the institution from being in the driver’s seat when it comes to negotiating with the ransomware perpetrators. Many (if not most) cyber insurance carriers require that, in order to cover a potential claim from a cyber event, they be notified early in the event, and that they take the lead role in any negotiations with the perpetrators. The FinCEN advisory also reminds institutions that any payments negotiated by third-parties on behalf of the institution remain the responsibility (i.e. liability) of the institution.
State Bank Regulators
Finally, starting this past October we’ve seen multiple occurrences of a Ransomware Self-Assessment Tool (R-SAT) being delivered to financial institutions subject to State oversight (i.e. all state chartered institutions). Developed by the Bankers Electronic Crimes Task Force, State Bank Regulators (CSBS), and the United States Secret Service, the R-SAT was created “…to help financial institutions assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security.” Although the email accompanying the document states that “…The tool does not establish new regulatory expectations,” institutions are being advised to complete the 16 question assessment and be prepared to discuss it with the state examiners at their next visit. (Although there are only 16 questions, most have multiple components, making the actual number of required responses closer to 60 – 65.)
This is causing confusion among many institutions, because anything requiring completion prior to an examination essentially becomes a defacto requirement. So how should institutions react to this new assessment? Is there anything new to be gained by completing this assessment that may justify the additional time commitment?
Since this is very new, we’ve reached out to IT auditors as well as our regulatory contacts at the state and federal level to get their opinions. It appears that the intention is to possible expand usage of this assessment beyond State examiners, as the document states that “This could also assist other third parties (such as auditors, security consultants and regulators).” So far though, the auditors and federal level examiners appear to be blindsided by this as well, so more to come on that, but our initial impression is that the questionnaire seems more of a conversation starter about ransomware best practices as opposed to a prescriptive checklist of “must-do” items. Indeed, the document is organized around the five functions of the NIST Cybersecurity Framework; Identify, Protect, Detect, Respond, and Recover.
Regarding the OFAC advisories, you and your cyber insurance company need to be aware that if they are involved in facilitating ransomware payments on your behalf, you must also consider whether you may be in violation of regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations on payments to specially designated nationals. Our experience is that most cyber insurance carriers are not up to speed with current guidance, potentially putting you at risk.
Regarding the R-SAT, until we receive more feedback from the field, our position is that (as with everything else) taking a risk-based approach is best. That means completion of this document should be “optional” IF:
- If your existing information security risk assessment already identifies all reasonably anticipated risks and threats and associated controls, then ransomware is already addressed. (Ransomware is simply one malware threat in the cyber-threat universe.)
- If you’ve been completing the FFIEC CAT each year, you should have a pretty good idea of your risks and controls (including protective and detective), and how they’ve been trending over the past few years.
- If you’ve been conducting a gap analysis based on the results, you’ve already addressed any misalignments between your current cyber risk profile and your desired profile. (In fact, question #2 on the R-SAT asks, “Has a GAP analysis been performed to identify controls that have not been implemented but are recommended in the standards and frameworks that you use?”)
- If your Incident Response Plan has expanded the definition of “misuse of data” to include not just unauthorized access to data, but also unauthorized denial of access to data.
- And finally, if your BCMP assesses the probability and impact of destructive malware, and if you’ve been periodically incorporating a ransomware scenario into your annual BCMP and Incident Response testing exercises, you’ve already validated your ability to respond and recover from a ransomware attack.
Our advice would be to consider completing the R-SAT if you feel you haven’t adequately addressed ransomware elsewhere, and then only as a stopgap until you’ve enhanced your InfoSec risk assessment, your BCMP and Incident Response Plans, and conducted a cybersecurity gap analysis. But if you’ve already checked those boxes, (and unless you have extra time on your hands) we strongly recommend calling the state examiner’s attention to your existing and on-going cyber threat identification, detection, response and recovery efforts, and leave it at that.
We reached out to, and have heard back from, a State examiner on how they intend to utilize the R-SAT. Here is a summary of their reply:
- “…we intend to use this as a consultative tool in appropriate situations with our banks and credit unions.”
- “…we will not be requiring compulsory use.”
- “We are hoping that the conversations with institutions will entail questions/conversations such as “have you looked at it”, “do you find it helpful”, “these are items that can enhance your current process.”
- “We do believe that most of this should already be in place from an incident management and business continuity stand point.”
- The approach outlined in this article is “consistent with their thoughts.”
All State examiners may not have the exact same approach, so we’ll continue to update this as feedback comes in.
(Note: As stated earlier, we are awaiting more feedback from examiners and auditors in the field, so you may want to bookmark this page and check back periodically for any updates.)