Guidance Cyber-threats and attacks for non-depository institutions

Date:	05/18/2017
Organization:	Division of Banks
Referenced Sources:	201 CMR 17.00: Standards for the protection of personal information of residents of the Commonwealth M.G.L. c. 93H

To the Chief Executive Officer of the Institution Addressed:

As you know from news reports, a global ransomware campaign is affecting over 100,000 (plus) computers in more than 155 countries. The ransomware exploits a vulnerability in Microsoft Windows, particularly the Windows XP operating system. The issue primarily relates to “computer hygiene,” that is, keeping your computers up-to-date and patched. Specific information about patching for this ransomware exploit (Microsoft patch for the MS-17-010 SMB vulnerability dated March 14, 2017) is on the US-CERT website.

Skip table of contents

You skipped the table of contents section.

Recommended resources

The Division issued an industry letter on cybersecurity self-assessments and the FFIEC’s cyber security assessment tool to all licensees on November 30, 2015, which is available on our website.
The Division’s information security examination work-program for non-depositories is also available on our website.
Additional information on cyber-security and ransomware can also be found on the FBI’s website.

Prevention is the most effective defense against ransomware, and it is critical to take precautionary measures for protection. Most important:

Never open attachments or follow links included in unsolicited e-mails.
Back-up your data, particularly sensitive or proprietary data, in a separate secure location.
Keep your anti-virus software up to date.

Massachusetts General Laws chapter 93H, and Massachusetts regulation 201 CMR 17.00 et seq. establishes guidelines to safeguard the personal information of residents of the Commonwealth. The statute requires any person holding personal information about a resident of the Commonwealth to maintain a Written Information Security Program (WISP) and to report any known breach of security to the Attorney General and the Undersecretary of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay. It is the Division's expectation that a Licensee impacted by the ransomware will also report this to the Division as a data breach / significant event. If you have any questions about the Division's expectations regarding cybersecurity, please contact Chief Director Danielle Sherbertes at danielle.sherbertes@state.ma.us or 617-956-1553. To report a data breach or discuss sensitive information, please use secure email when contacting Ms. Sherbertes.

Sincerely,

Terence A. McGinnis

Commissioner of Banks

Massachusetts Division of Banks

Downloads for Cyber-threats and attacks for non-depository institutions

Open PDF file, 512.78 KB, Guidance on cyber-threats and attacks for non-depository institutions (English, PDF 512.78 KB)

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the Division of Banks. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the Division of Banks.

Please let us know how we can improve this page.