Working with the Bankers Electronic Crimes Task Force and the United States Secret Service, state supervisors released Ransomware Self-Assessment Tools (R-SAT) for both banks and nonbanks in 2020. R-SAT helps financial institutions assess how they can mitigate ransomware risks and identify other cybersecurity gaps. 

In October 2023, we released a new, updated R-SAT for banks to address new risks associated with ransomware attacks and identify security gaps. The updated R-SAT incorporates insights from cybersecurity experts, feedback from financial institutions, and lessons learned from analyzing real-life ransomware attacks.

While financial institutions may have good cybersecurity practices in place, rapid advancements in ransomware techniques and the potentially devastating consequences of a successful attack require every financial institution to review and update their ransomware-specific controls. The updated R-SAT places an increased emphasis on topics such as multi-factor authentication, employee awareness and security training, cloud-based systems or activities, and the identification of control risks that have not been mitigated to an acceptable risk level.

An industry-wide webinar hosted by CSBS briefed bankers on the updated tool, covering the specific changes to the R-SAT, research, and insights from the industry that led to these changes, and how banks can most effectively leverage the tool to protect their institutions and customers. State regulators continue to be proactive and adaptive to the needs of the diverse banking system. Updates to the R-SAT are yet another example of state regulators empowering their institutions with tools to protect our financial system and the customers it serves.