The NYDFS recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack...
The New York Division of Financial Services (NYDFS or Department) recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack. The new guidelines come as the number of ransomware attacks increased 300 percent in 2020.
Rise in Ransomware Attacks
Ransomware attacks are among the most disruptive cyberattacks. They have also become increasingly prevalent and more sophisticated in recent years. Cybercriminals’ success in obtaining large extortion payments has also financed the development of more effective hacking and ransomware tools and helped recruit additional hackers. Accordingly, NYDFS shares the FBI’s view that companies should avoid making ransomware payments if their networks are compromised. Instead, the Department is calling on businesses to dedicate their resources to thwarting attacks.
“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” Superintendent Linda Lacewell said in a press statement. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”
In its ransomware guidance, NYDFS warns that a major ransomware attack could cause the next great financial crisis. “A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the guidance states. “This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.”
NYDFS also notes that the cost of ransomware has also impacted the cyber insurance market. Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020, according to the Department.
NYDFS Ransomware Guidance
NYDFS has investigated reports of ransomware attacks made to the agency and determined that the perpetrators are repeatedly using the same handful of techniques. In most cases, hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.
NYDFS has also confirmed that most attacks are preventable. “Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack,” the Department states.
Below are several of NYDFS’s recommended security controls:
Email Filtering and Anti-Phishing Training: NYDFS advises that required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. “Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary,” the guidance states. Additionally, emails should be filtered to block spam and malicious attachments/links from reaching users.
Vulnerability/Patch Management: As mandated by 23 NYCRR § 500.05(b), companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing. NYDFS stresses that timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.
Multi-Factor Authentication (MFA): As the guidance highlights, MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12. All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.
Disable RDP Access: Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
Password Management: NYDFS states that regulated companies should ensure that strong, unique passwords are used. Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Additionally, password caching should be turned off wherever possible.
Privileged Access Management: In accordance with 23 NYCRR §§ 500.03(d); 500.07, regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. NYDFS advises that privileged accounts should be carefully protected, and companies should maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
Monitoring and Response: As mandated under 23 NYCRR § 500.03(h), regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity. As NYDFS notes, advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint.
Tested and Segregated Backups: In accordance with 23 NYCRR §§ 500.03(e), (f), and (n), regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. As stated in the guidelines, “It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”
Incident Response Plan: As required under 23 NYCRR § 500.16, regulated companies should have an incident response plan that explicitly addresses ransomware attacks. “The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident,” the guidance states.
Reporting Ransomware Attacks to NYDFS
NYDFS further advises that given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a). Similarly, any intrusion where hackers gain access to privileged accounts generally must also be reported. According to the Department, it is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
NYDFS Issues New Guidance on Ransomware Prevention
Author: Scarinci Hollenbeck, LLC
The NYDFS recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack...
The New York Division of Financial Services (NYDFS or Department) recently issued guidance on what steps financial institutions should be taking to reduce the risk of a ransomware attack. The new guidelines come as the number of ransomware attacks increased 300 percent in 2020.
Rise in Ransomware Attacks
Ransomware attacks are among the most disruptive cyberattacks. They have also become increasingly prevalent and more sophisticated in recent years. Cybercriminals’ success in obtaining large extortion payments has also financed the development of more effective hacking and ransomware tools and helped recruit additional hackers. Accordingly, NYDFS shares the FBI’s view that companies should avoid making ransomware payments if their networks are compromised. Instead, the Department is calling on businesses to dedicate their resources to thwarting attacks.
“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” Superintendent Linda Lacewell said in a press statement. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”
In its ransomware guidance, NYDFS warns that a major ransomware attack could cause the next great financial crisis. “A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the guidance states. “This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.”
NYDFS also notes that the cost of ransomware has also impacted the cyber insurance market. Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020, according to the Department.
NYDFS Ransomware Guidance
NYDFS has investigated reports of ransomware attacks made to the agency and determined that the perpetrators are repeatedly using the same handful of techniques. In most cases, hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.
NYDFS has also confirmed that most attacks are preventable. “Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack,” the Department states.
Below are several of NYDFS’s recommended security controls:
Email Filtering and Anti-Phishing Training: NYDFS advises that required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. “Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary,” the guidance states. Additionally, emails should be filtered to block spam and malicious attachments/links from reaching users.
Vulnerability/Patch Management: As mandated by 23 NYCRR § 500.05(b), companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing. NYDFS stresses that timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.
Multi-Factor Authentication (MFA): As the guidance highlights, MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12. All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.
Disable RDP Access: Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
Password Management: NYDFS states that regulated companies should ensure that strong, unique passwords are used. Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Additionally, password caching should be turned off wherever possible.
Privileged Access Management: In accordance with 23 NYCRR §§ 500.03(d); 500.07, regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. NYDFS advises that privileged accounts should be carefully protected, and companies should maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
Monitoring and Response: As mandated under 23 NYCRR § 500.03(h), regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity. As NYDFS notes, advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint.
Tested and Segregated Backups: In accordance with 23 NYCRR §§ 500.03(e), (f), and (n), regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. As stated in the guidelines, “It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”
Incident Response Plan: As required under 23 NYCRR § 500.16, regulated companies should have an incident response plan that explicitly addresses ransomware attacks. “The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident,” the guidance states.
Reporting Ransomware Attacks to NYDFS
NYDFS further advises that given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a). Similarly, any intrusion where hackers gain access to privileged accounts generally must also be reported. According to the Department, it is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Thomas Herndon, Jr., or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
