The NYDFS recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack...
The New York Division of Financial Services (NYDFS or Department) recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack. The new guidelines come as the number of ransomware attacks increased 300 percent in 2020.
Rise in Ransomware Attacks
Ransomware attacks are among the most disruptive cyberattacks. They have also become increasingly prevalent and more sophisticated in recent years. Cybercriminals’ success in obtaining large extortion payments has also financed the development of more effective hacking and ransomware tools and helped recruit additional hackers. Accordingly, NYDFS shares the FBI’s view that companies should avoid making ransomware payments if their networks are compromised. Instead, the Department is calling on businesses to dedicate their resources to thwarting attacks.
“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” Superintendent Linda Lacewell said in a press statement. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”
In its ransomware guidance, NYDFS warns that a major ransomware attack could cause the next great financial crisis. “A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the guidance states. “This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.”
NYDFS also notes that the cost of ransomware has also impacted the cyber insurance market. Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020, according to the Department.
NYDFS Ransomware Guidance
NYDFS has investigated reports of ransomware attacks made to the agency and determined that the perpetrators are repeatedly using the same handful of techniques. In most cases, hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.
NYDFS has also confirmed that most attacks are preventable. “Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack,” the Department states.
Below are several of NYDFS’s recommended security controls:
Email Filtering and Anti-Phishing Training: NYDFS advises that required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. “Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary,” the guidance states. Additionally, emails should be filtered to block spam and malicious attachments/links from reaching users.
Vulnerability/Patch Management: As mandated by 23 NYCRR § 500.05(b), companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing. NYDFS stresses that timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.
Multi-Factor Authentication (MFA): As the guidance highlights, MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12. All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.
Disable RDP Access: Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
Password Management: NYDFS states that regulated companies should ensure that strong, unique passwords are used. Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Additionally, password caching should be turned off wherever possible.
Privileged Access Management: In accordance with 23 NYCRR §§ 500.03(d); 500.07, regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. NYDFS advises that privileged accounts should be carefully protected, and companies should maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
Monitoring and Response: As mandated under 23 NYCRR § 500.03(h), regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity. As NYDFS notes, advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint.
Tested and Segregated Backups: In accordance with 23 NYCRR §§ 500.03(e), (f), and (n), regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. As stated in the guidelines, “It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”
Incident Response Plan: As required under 23 NYCRR § 500.16, regulated companies should have an incident response plan that explicitly addresses ransomware attacks. “The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident,” the guidance states.
Reporting Ransomware Attacks to NYDFS
NYDFS further advises that given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a). Similarly, any intrusion where hackers gain access to privileged accounts generally must also be reported. According to the Department, it is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Secured transactions form the backbone of a wide range of business dealings, including business loans, mortgages, and inventory financing. Because the stakes are often high and relatively minor oversights can have drastic consequences, lenders and borrowers should thoroughly understand how to form an enforceable security agreement that protects their legal rights. What Is a Secured […]
Don’t Cash a “Paid in Full” Check Without Understanding the Legal Implications
Cashing a check marked “paid in full” can be a risky endeavor, particularly if you don’t fully understanding the legal implications. If you are owed more than the amount of the check you accept and deposit, you may waive your right to collect the full disputed amount. That is why you should consider either rejecting […]
Changes to Qualified Small Business Stock Will Benefit Startup Founders and Investors
The One Big Beautiful Bill Act of 2025 (OBBBA) significantly impacts federal taxes, credits, and deductions. A key change relating to Qualified Small Business Stock (QSBS) allows greater tax-free gains for investments in startups and other qualifying small businesses. Company founders and other investors should understand how the enhanced tax strategy works or risk missing […]
Corporate Consolidation and Antitrust Issues in Mergers
Corporate consolidation involves two or more businesses merging to become a single larger entity. The result is often a stronger and more competitive company that can better navigate today’s competitive marketplace. What Is Corporate Consolidation? Corporate consolidation closely resembles a basic merger transaction. The primary difference is that a consolidation creates an entirely new business […]
Business law plays a critical role in nearly every aspect of running a successful enterprise, from negotiating a commercial lease to drafting employee policies to fulfilling corporate disclosure obligations. Understanding what is business law and your legal obligations can help your business run smoothly and build productive relationships with clients, business partners, regulators, and others. […]
Corporate Transactions: Best Practices for Successful Deals
Corporate transactions can have significant implications for a corporation and its stakeholders. For deals to be successful, companies must act strategically to maximize value and minimize risk. It is also important to fully understand the legal and financial ramifications of corporate transactions, both in the near and long term. Understanding Corporate Transactions The term “corporate […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
