As we mentioned in our previous blog, the Pandemic dominated the regulatory landscape early in 2020, and cybersecurity dominated the last few months of the year. This double-whammy forced financial institutions to quickly make operational adjustments to their procedures and practices. In the previous post, we explored the Pandemic. In this post, we’ll summarize the regulatory focus on cybersecurity in 2020, and look ahead to 2021.
Focus on Ransomware
The escalation of ransomware attacks (also referred to as destructive malware) has prompted a greater focus on addressing this aspect of cybersecurity. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies about possible sanctions for facilitating ransomware payments. Financial institutions should be aware that they (and their cybersecurity insurance provider) could be in violation of OFAC regulations should they decide to pay a ransom to anyone on the Specially Designated Nationals (SDN) list. This would place the institution on the hook for payments made by themselves, or by any third-party on their behalf. Institutions should address this issue during incident response testing by including their cyber insurance company and making sure they know that paying a ransom could trigger penalties or sanctions.
The heightened emphasis on ransomware also led to the release of a new Ransomware Self-Assessment Tool (R-SAT) in October 2020. Developed by the Bankers Electronic Crimes Taskforce (BECTF), the U.S. Secret Service, and state bank regulatory agencies, the R-SAT follows established best practices to help financial institutions reduce their risk of ransomware. We have reports from several banks around the country that their State examiners are requesting completion of the R-SAT prior to their examination. Unlike the CAT, the 16-question tool only allows “Yes” or “No” responses, it does not give users the option to answer “Yes with compensating controls”. This lack of flexibility does not work in the favor of smaller, less complex financial institutions, which may have informal practices in place that still accomplish the same objectives as the more formal practices of the larger institutions.
Nonetheless, the yes/no response format should not be an issue if institutions have already taken steps to address ransomware and, more broadly, cybersecurity. They can simply point regulators to relevant supporting details, (completed CAT assessments and incident response plans and tests for example) and that should be sufficient to demonstrate compliance. It’s also important to note that what we’ve heard from state regulators is that they are not strictly requiring institutions to employ the R-SAT, only that they intend to use the assessment as a starting point for further discussion. Increased discussion surrounding shared cyber threats facing financial institutions is never a bad thing!
Finally, the OCC released their semi-annual Risk Perspective in November and singled out cybersecurity as a key operational risk. While they point out that overall banks have adequate cybersecurity systems, they have seen some weaknesses related to IT, change management, and information security. We can expect increased scrutiny in these areas, and cybersecurity generally, for the foreseeable future.
What to Expect in 2021
One common denominator between the Pandemic and cybersecurity is the concept of resilience. Resilience, or the ability to withstand and recover from unplanned and unanticipated events, is all about proactive as opposed to reactive measures. It equates to implementing procedures ahead of time—rather than just responding to past events—to reduce the risk of operational downtime. Granted, the impromptu procedures established during the COVID-19 pandemic, or following a cyber-attack, are reactive in nature. But, once firmly in place and tested in the real world, they become the proactive resilience measures ready for when the next event occurs.
One additional factor common to both Pandemic and cybersecurity is proper management and oversight of third-parties. We expect that examiners will scrutinize how institutions manage the third-party lifecycle; from the initial decision to engage the third-party, to assessing and controlling on-going risk, to disengagement at the end of the relationship. Among the elements attracting attention are whether you are tracking the complementary user entity controls for critical vendors. These are found in the SOC 2 reports and list the controls expected of you by the vendor. Be aware of these vendor expectations, and document how you’ve addressed them.
In summary, take extra precautions in 2021 relating to cybersecurity (particularly ransomware), another potential Pandemic event, and third-party management. Document everything you’ve done or plan to do (e.g., resilience measures), and most of all stay flexible. If we’ve learned anything from 2020, it’s to expect the unexpected!