The Conference of State Bank Supervisors (CSBS) has released an update (version 2.0) to the Ransomware Self-Assessment Tool (R-SAT) for financial institutions. The R-SAT, which was developed in collaboration with the Bankers Electronic Crimes Task Force, state bank regulators and the U.S. Secret Service, was originally released in October 2020.

According to the Texas Department of Banking, the tool is “proven to be a thought-provoking but easy-to-use and repeatable tool to help financial institutions periodically assess their own efforts to mitigate risks specifically associated with ransomware and to identify gaps for increasing security. The R-SAT also provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding to and recovering from a ransomware attack.”

Version 2.0 reflects updates developed in light of evolutions in the ransomware threat environment and threat actor behaviors, as well as changes in financial institution control environments that have occurred since its original issuance. Updates to the R-SAT were also based in part on the results of a study conducted by multiple state banking departments of ransomware attacks on state-chartered banks and credit unions between January 1, 2019, and December 31, 2022. Findings from this study are summarized in the report, Ransomware: Lessons Learned by Banks That Suffered an Attack.

Due to the significant updates in the R-SAT, especially related to multi-factor authentication, the Texas Department of Banking recommends that banks update their R-SAT as soon as possible. The agency’s examiners will review and discuss banks’ completed R-SAT 2.0 at upcoming information technology examinations beginning April 1, 2024.
­­
The Texas Department of Banking suggests that if bankers have questions about the R-SAT tool, they should contact Ruth Norris, chief IT security examiner at the agency.