The NYDFS recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack...
The New York Division of Financial Services (NYDFS or Department) recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack. The new guidelines come as the number of ransomware attacks increased 300 percent in 2020.
Rise in Ransomware Attacks
Ransomware attacks are among the most disruptive cyberattacks. They have also become increasingly prevalent and more sophisticated in recent years. Cybercriminals’ success in obtaining large extortion payments has also financed the development of more effective hacking and ransomware tools and helped recruit additional hackers. Accordingly, NYDFS shares the FBI’s view that companies should avoid making ransomware payments if their networks are compromised. Instead, the Department is calling on businesses to dedicate their resources to thwarting attacks.
“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” Superintendent Linda Lacewell said in a press statement. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”
In its ransomware guidance, NYDFS warns that a major ransomware attack could cause the next great financial crisis. “A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the guidance states. “This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.”
NYDFS also notes that the cost of ransomware has also impacted the cyber insurance market. Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020, according to the Department.
NYDFS Ransomware Guidance
NYDFS has investigated reports of ransomware attacks made to the agency and determined that the perpetrators are repeatedly using the same handful of techniques. In most cases, hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.
NYDFS has also confirmed that most attacks are preventable. “Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack,” the Department states.
Below are several of NYDFS’s recommended security controls:
Email Filtering and Anti-Phishing Training: NYDFS advises that required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. “Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary,” the guidance states. Additionally, emails should be filtered to block spam and malicious attachments/links from reaching users.
Vulnerability/Patch Management: As mandated by 23 NYCRR § 500.05(b), companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing. NYDFS stresses that timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.
Multi-Factor Authentication (MFA): As the guidance highlights, MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12. All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.
Disable RDP Access: Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
Password Management: NYDFS states that regulated companies should ensure that strong, unique passwords are used. Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Additionally, password caching should be turned off wherever possible.
Privileged Access Management: In accordance with 23 NYCRR §§ 500.03(d); 500.07, regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. NYDFS advises that privileged accounts should be carefully protected, and companies should maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
Monitoring and Response: As mandated under 23 NYCRR § 500.03(h), regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity. As NYDFS notes, advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint.
Tested and Segregated Backups: In accordance with 23 NYCRR §§ 500.03(e), (f), and (n), regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. As stated in the guidelines, “It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”
Incident Response Plan: As required under 23 NYCRR § 500.16, regulated companies should have an incident response plan that explicitly addresses ransomware attacks. “The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident,” the guidance states.
Reporting Ransomware Attacks to NYDFS
NYDFS further advises that given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a). Similarly, any intrusion where hackers gain access to privileged accounts generally must also be reported. According to the Department, it is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
When Are New Jersey Business Owners Personally Liable for Corporate Debt?
New Jersey personal guaranty liability is a critical issue for business owners who regularly sign contracts on behalf of their companies. A recent New Jersey Supreme Court decision provides valuable guidance on when a business owner can be held personally responsible for a company’s debt. Under the Court’s decision in Extech Building Materials, Inc. v. […]
Commercial real estate trends in 2026 are being shaped by shifting economic conditions, technological innovation, and evolving tenant demands. As the market adjusts to changing interest rates, capital flows, and workplace models, investors, owners, tenants, and developers must understand how these trends are influencing opportunities and risk in the year ahead. Overall Outlook for Commercial […]
One Big Beautiful Bill: New Tip Income Tax Rules Employers & Workers Need to Know
Part 2 – Tips Excluded from Income Certain employees and independent contractors may be eligible to deduct tips from their income for tax years 2025 through 2028 under provisions included in the One Big Beautiful Bill. The deduction is capped at $25,000 per year and begins to phase out at $150,000 of modified adjusted gross […]
One Big Beautiful Bill: New Overtime Tax Rules Employers and Employees Need to Know
Part 1 – Overtime Pay and Income Tax Treatment Overview This Firm Insights post summarizes one provision of the “One Big Beautiful Bill” related to the tax treatment of overtime compensation and related employer wage reporting obligations. Overtime Pay and Employee Tax Treatment The Fair Labor Standards Act (FLSA) generally requires that overtime be paid […]
New York’s FAIR Business Practices Act: What the New Consumer Protection Measure Means for Your Business
In 2025, New York enacted one of the most consequential updates to its consumer protection framework in decades. The Fostering Affordability and Integrity through Reasonable Business Practices Act (FAIR Act) significantly expands the scope and strength of New York’s long-standing consumer protection statute, General Business Law § 349, and alters the compliance landscape for New York […]
How to Reduce Legal Risk as Your New Jersey Business Grows in 2026
For many New Jersey businesses, growth is a primary objective for the New Year. However, it is important to recognize that growth involves both opportunity and risk. For example, business expansion often results in complex contracts, an increased workforce, new regulatory requirements, and heightened exposure to disputes. Without proactive planning, even routine growth can lead […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
