NYDFS Issues New Guidance on Ransomware Prevention

The NYDFS recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack...

The New York Division of Financial Services (NYDFS or Department) recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack. The new guidelines come as the number of ransomware attacks increased 300 percent in 2020.

Rise in Ransomware Attacks

Ransomware attacks are among the most disruptive cyberattacks. They have also become increasingly prevalent and more sophisticated in recent years. Cybercriminals’ success in obtaining large extortion payments has also financed the development of more effective hacking and ransomware tools and helped recruit additional hackers. Accordingly, NYDFS shares the FBI’s view that companies should avoid making ransomware payments if their networks are compromised. Instead, the Department is calling on businesses to dedicate their resources to thwarting attacks.

“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” Superintendent Linda Lacewell said in a press statement. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”

In its ransomware guidance, NYDFS warns that a major ransomware attack could cause the next great financial crisis. “A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the guidance states. “This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.”

NYDFS also notes that the cost of ransomware has also impacted the cyber insurance market. Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020, according to the Department.

NYDFS Ransomware Guidance 

NYDFS has investigated reports of ransomware attacks made to the agency and determined that the perpetrators are repeatedly using the same handful of techniques. In most cases, hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.

NYDFS has also confirmed that most attacks are preventable. “Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack,” the Department states.

Below are several of NYDFS’s recommended security controls:

• Email Filtering and Anti-Phishing Training: NYDFS advises that required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. “Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary,” the guidance states. Additionally, emails should be filtered to block spam and malicious attachments/links from reaching users.
• Vulnerability/Patch Management: As mandated by 23 NYCRR § 500.05(b),  companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure.  The program should include periodic penetration testing.  NYDFS stresses that timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities.  Vulnerability management should include requirements for timely application of security patches and updates.  Wherever possible, regulated companies should enable automatic updates.
• Multi-Factor Authentication (MFA): As the guidance highlights, MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12. All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking. 
• Disable RDP Access: Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
• Password Management: NYDFS states that regulated companies should ensure that strong, unique passwords are used.  Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords.  Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Additionally, password caching should be turned off wherever possible.
• Privileged Access Management: In accordance with 23 NYCRR §§ 500.03(d); 500.07, regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. NYDFS advises that privileged accounts should be carefully protected, and companies should maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
• Monitoring and Response: As mandated under 23 NYCRR § 500.03(h), regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity.  As NYDFS notes, advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint.
• Tested and Segregated Backups: In accordance with 23 NYCRR §§ 500.03(e), (f), and (n), regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. As stated in the guidelines, “It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”
• Incident Response Plan: As required under 23 NYCRR § 500.16, regulated companies should have an incident response plan that explicitly addresses ransomware attacks. “The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident,” the guidance states.

Reporting Ransomware Attacks to NYDFS

NYDFS further advises that given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a). Similarly, any intrusion where hackers gain access to privileged accounts generally must also be reported. According to the Department, it is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.