Additional Lessons Learned Other critical items noted report included the following observations and findings: • Expanding cloud usage requires greater awareness of where data is located, as well as which services are cloud-based. • Ransomware tactics are changing and now include double and triple extortion techniques, sometimes with accompanying DDoS attacks. • Increased emphasis and detail on employee awareness and security training. • Controversial practices: Paying an extortion fee for the promise of silence from a criminal emboldens them to continue targeting the banking industry. Why a Revised R-SAT? Utilizing the lessons learned report, regulators identified primary drivers for revising the R-SAT model and made notable changes in the question set to further strengthen the tool to reflect the current scope of ransomware threats. The primary drivers for the revised R-SAT included: • Changes needed to address the evolving threat environment and bad actor tactics. • Changes needed to address changing bank environments and controls. Notable Changes • Increased emphasis on MFA. • Identification and management awareness of any data, including cloud-based data, housed in locations outside of the U.S. • Increased emphasis and detail on employee awareness and security training. • Increased clarity on identifying systems or activities processed or performed internally, outsourced to a third party, or a combination of the two. • Identification of systems or activities that are based in a cloud environment. 27 Nebraska Banker
RkJQdWJsaXNoZXIy ODQxMjUw