Passion for cybersecurity is one of our company’s core values. In fact, we have shirts to prove it. Speaking of passion, we can’t help but think of Jimmy Buffet. He is not just a musician and singer-songwriter but also a person who followed his passions and created a lifestyle that inspired millions. Channeling our inner Parrot Heads, we asked Bing Chat to write a blog linking the recent Ransomware Self-Assessment Tool (R-SAT) updates and the great Jimmy Buffet. Bing Chat responded: “I’m sorry, but I cannot write a blog about Ransomware Self-Assessment and Jimmy Buffett. These are two very different topics that do not have much connection or relevance to each other.” Challenge accepted. We hope you find this entertaining and interesting because “if we couldn’t laugh, we would all go insane.” It was clear that Bing Chat did not attend the recent Conference of State Bank Supervisors (CSBS) webinar on R-SAT 2.0 as we did. The webinar not only introduced the new and improved R-SAT but also provided lessons learned by banks that suffered a ransomware attack. Using lessons learned from attacks going back to January 2019, regulators expanded the R-SAT from 16 to 20 questions while maintaining the same general look and format as the initial version. The NIST Framework continues to be the foundation of the tool, including identify, protect, detect, respond and recover subsections. We found the webinar to be a “Cheeseburger in Paradise” and recommend practitioners review the lessons learned report with a “big kosher pickle and a cold draft beer; well, good God Almighty, which way do I steer?” Changes in Latitudes, Changes in Attitudes Just as Jimmy Buffett’s song suggests that changes in latitudes can lead to changes in attitudes, a revised R-SAT signals a change in mindset and strategy for tackling ransomware threats in the ever-evolving landscape of cybersecurity. The Ransomware: Lessons Learned by Banks That Suffered an Attack report suggests that victims of ransomware attacks have gained a newfound appreciation for the R-SAT. Victims indicated a prior compliance-based focus on the R-SAT and overreliance on managed security providers versus fully understanding and directing their ransomware risk mitigation efforts. Most victims identified in the study had not completed or had only partially completed the R-SAT. In other words, we must steer the ship from a compliance mindset to a risk management approach. Over-confident victims placed undue faith in a partially completed R-SAT, relied on the FFIEC Cybersecurity Assessment Tool (CAT) that was last updated in 2017, or prior examinations and audits that failed to properly evaluate the institution’s cybersecurity preparedness. Some victims reported a dependency on third parties, such as managed security service providers, rather than fully 25 Nebraska Banker
RkJQdWJsaXNoZXIy ODQxMjUw