The NYDFS recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack...
The New York Division of Financial Services (NYDFS or Department) recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack. The new guidelines come as the number of ransomware attacks increased 300 percent in 2020.
Rise in Ransomware Attacks
Ransomware attacks are among the most disruptive cyberattacks. They have also become increasingly prevalent and more sophisticated in recent years. Cybercriminals’ success in obtaining large extortion payments has also financed the development of more effective hacking and ransomware tools and helped recruit additional hackers. Accordingly, NYDFS shares the FBI’s view that companies should avoid making ransomware payments if their networks are compromised. Instead, the Department is calling on businesses to dedicate their resources to thwarting attacks.
“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” Superintendent Linda Lacewell said in a press statement. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”
In its ransomware guidance, NYDFS warns that a major ransomware attack could cause the next great financial crisis. “A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the guidance states. “This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.”
NYDFS also notes that the cost of ransomware has also impacted the cyber insurance market. Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020, according to the Department.
NYDFS Ransomware Guidance
NYDFS has investigated reports of ransomware attacks made to the agency and determined that the perpetrators are repeatedly using the same handful of techniques. In most cases, hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.
NYDFS has also confirmed that most attacks are preventable. “Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack,” the Department states.
Below are several of NYDFS’s recommended security controls:
Email Filtering and Anti-Phishing Training: NYDFS advises that required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. “Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary,” the guidance states. Additionally, emails should be filtered to block spam and malicious attachments/links from reaching users.
Vulnerability/Patch Management: As mandated by 23 NYCRR § 500.05(b), companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing. NYDFS stresses that timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.
Multi-Factor Authentication (MFA): As the guidance highlights, MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12. All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.
Disable RDP Access: Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
Password Management: NYDFS states that regulated companies should ensure that strong, unique passwords are used. Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Additionally, password caching should be turned off wherever possible.
Privileged Access Management: In accordance with 23 NYCRR §§ 500.03(d); 500.07, regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. NYDFS advises that privileged accounts should be carefully protected, and companies should maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
Monitoring and Response: As mandated under 23 NYCRR § 500.03(h), regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity. As NYDFS notes, advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint.
Tested and Segregated Backups: In accordance with 23 NYCRR §§ 500.03(e), (f), and (n), regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. As stated in the guidelines, “It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”
Incident Response Plan: As required under 23 NYCRR § 500.16, regulated companies should have an incident response plan that explicitly addresses ransomware attacks. “The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident,” the guidance states.
Reporting Ransomware Attacks to NYDFS
NYDFS further advises that given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a). Similarly, any intrusion where hackers gain access to privileged accounts generally must also be reported. According to the Department, it is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Failing to Comply With NJ Rent Control Exemption May Prove Costly
What Developers Need to Know About New Jersey’s Rent Control Exemption Law to Ensure Entitlement to Exemption for Newly Constructed Multi-family Housing. A property owner in Jersey City is facing a $400 million federal class action lawsuit alleging that the landlord did not follow the procedural steps required to be eligible for exemption from local […]
Crypto Securities Law: When Tokens Become Investment Contracts
The application of traditional federal securities laws to crypto assets continues to evolve. In some cases, the Securities and Exchange Commission (SEC) considers tokens and other digital assets to be securities. This makes them subject to federal securities law, including the Securities Act of 1933 and the Securities Exchange Act of 1934. This classification has […]
The Due Diligence Process for NY Condominiums and Cooperatives
While the New York City real estate market can be extremely competitive, moving too quickly often backfires. Before purchasing a condominium or cooperative in New York City, it is important to do you homework. Purchasing property in NYC can involve a dizzying number of legal issues. These include condo and co-op rules, rent restrictions, and […]
Smart Contract Legal Issues: Drafting Agreements for Blockchain
Smart contracts feature a unique blend of legal agreement and technical code. This innovation has the potential to reshape how business is conducted. At the same time, smart contract legal issues around enforceability, jurisdiction, identity, and compliance are common. The legal framework for these self-executing agreements is still evolving. What Are Smart Contracts? Smart contracts, […]
Are Stay Interviews the Key to Retaining Top Talent?
Retaining top talent continues to be one of the greatest challenges facing employers today. Even in an employer’s market, the loss of a key employee can disrupt operations and result in significant costs. While compensation plays a role, long-term retention often depends on workplace culture, communication, and employee engagement. One increasingly popular strategy for improving […]
Secured transactions form the backbone of a wide range of business dealings, including business loans, mortgages, and inventory financing. Because the stakes are often high and relatively minor oversights can have drastic consequences, lenders and borrowers should thoroughly understand how to form an enforceable security agreement that protects their legal rights. What Is a Secured […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
