The Conference of State Bank Supervisors (CSBS) has released an update to the Ransomware Self-Assessment Tool (R-SAT), Version 2.0 for banks.

The Conference of State Bank Supervisors (CSBS) has released an update to the Ransomware Self-Assessment Tool (R-SAT), Version 2.0 for banks.

The R-SAT, which was developed in collaboration with the Bankers Electronic Crimes Task Force, state bank regulators, and the US Secret Service, was originally released in October 2020. It is proven to be a thought-provoking but easy-to-use and repeatable tool to help financial institutions periodically assess their own efforts to mitigate risks specifically associated with ransomware and to identify gaps for increasing security. The R-SAT also provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding to, and recovering from a ransomware attack. And as a secondary benefit, the R-SAT is useful tool for auditors, consultants, and regulators who may be evaluating an institution’s security policies and practices. Version 2.0 reflects updates developed in light of evolutions in the ransomware threat environment and threat actor behaviors, as well as changes in bank control environments that have occurred since its original issuance.

A copy of the updated R-SAT has been attached for your convenience. DFPI encourages the completion of the R-SAT 2.0 as soon as practical and for the institution to revisit the assessment annually. DFPI examiners will request a completed copy of the R-SAT as part of the request list for your next IT examination, and in advance of every IT examination thereafter. In addition, examiners will discuss the complete R-SAT with your bank during the examination.

To further underscore the importance of ransomware preparedness, we have also included a copy of the “Ransomware Lessons Learned by Banks That Suffered an Attack”. This report details the results of a study, conducted by multiple state banking departments across the United States, of state-chartered banks and credit unions that were victims of ransomware attacks from January 1, 2019, through December 31, 2022. Findings from this study, which are summarized in this report, have been incorporated into the Ransomware Self-Assessment Tool (R-SAT), Version 2.0.

DFPI remains committed to maintaining a proactive and adaptive approach to keeping our financial institutions safe and secure. The R-SAT is a valuable tool your institution can leverage to ensure our financial system remains safe, sound, and resilient in a changing cybersecurity landscape. We strongly encourage you to familiarize yourself with this resource and incorporate it into your periodic assessments of your institution’s cybersecurity and ransomware preparedness.

• Ransomware Lessons Learned by Banks That Suffered an Attack - Final 23.10.24.pdf
• R-SAT 2.0 (1).pdf