October 14, 2021

New York Department of Financial Services Issues New Guidance on Preventing Ransomware Attacks

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

The ransomware crisis threatens every financial services company and their customers as incidents continue to surge. Many of us have become all too familiar with the term "ransomware" in recent years due to their frequency. Such attacks could severely impact business processes and leave financial organizations without the data they need to operate while undercutting customer confidence.

On June 30, 2021, the New York State Department of Financial Services ("Department" or "DFS") identified cybersecurity controls that significantly reduce the risk of a ransomware attack and should be implemented by companies wherever possible. The guidance was generated from reports to DFS of 74 ransomware attacks from DFS-regulated companies between January 2020 and May 2021. The purpose of these countermeasures is to substantially reduce the risk of a successful ransomware attack and protect every facet of your company. While these controls are well known, it's important to make sure that they are being used. DFS's guidance recommends the following:

1.      Train employees in cybersecurity awareness and anti-phishing.Required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts.

2.      Implement a vulnerability and patch management program.Companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. 23 NYCRR § 500.03(g). The program should include periodic penetration testing. 23 NYCRR § 500.05(b). 

3.      Use multi-factor authentication, strong passwords and restrict RDP access.Multi-Factor Authentication ("MFA") protects user accounts and can prevent hackers from obtaining access to the network and from escalating privileges once in the network. All logins to privileged accounts should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking. 23 NYCRR §§ 500.03(d) & (g); 500.12. In addition, companies should ensure that strong, unique passwords are used. 23 NYCRR § 500.03(d). Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Companies should also disable Remote Desktop Protocol ("RDP") access from the internet wherever possible. 23 NYCRR § 500.03(g). However, if deemed necessary, then RDP access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.

4. Employ privileged access management to safeguard credentials for privileged accounts.Companies should implement the principle of least privileged access - each user or service account should be given the minimum level of access necessary to perform the job. 23 NYCRR §§ 500.03(d); 500.07.

5.      Use monitoring and response to detect and contain intruders.Companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. 23 NYCRR § 500.03(h).

6.      Segregate and test backups to ensure that critical systems can be restored in the face of an attack.Companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack. 23 NYCRR §§ 500.03(e), (f), and (n). 

7.     Have a ransomware specific incident response plan that is tested by senior leadership.Companies should have an incident response plan that explicitly addresses ransomware attacks. 23 NYCRR § 500.16. The plan should be tested, and the testing should include decision makers. "Decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident."

As outlined above, such a multi-layered approach to cybersecurity helps to thwart ransomware and other intrusions at each stage of an attack. Regardless, any intrusion by a hacker on a company's internal network should be reported to DFS "as promptly as possible and within 72 hours at the latest," pursuant to 23 NYCRR § 500.17(a). These reports are often the genesis of further investigation by the Department and demonstrating clear and convincing command of the facts helps assure the Department that your company knows how to respond to an incident. A copy of the guidance can be found on the DFS website.

If you have any questions about the new DFS guidance, please contact Michael P. O'Mullan at [email protected], Labinot Alexander Berlajolli at [email protected], Robert N. Holup at [email protected], or any other attorney in Riker Danzig's Cyber Security & Data Privacy practice. 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Riker Danzig LLP

SEC May Require Advisers and Funds to Draft Cybersecurity Policies and Disclose Incidents

By Michael P. O'Mullan Riker Danzig LLP February 11 , 2022

Following the rise of cybercrime and on the coattails of the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB) and the Federal Deposit Insurance Corporation (FDIC) promulgating final rules concerning cybersecurity requirements for the financial services sector, we knew that the U.S. Securities and Exchange Commission (SEC) was not far behind.

New York Insurance Disclosure Act May Cause Significant Changes In New York State Court Lawsuits

By Brian E. O’Donnell Riker Danzig LLP February 10 , 2022

On December 31, 2021, New York Governor Kathy Hochul signed into law the Comprehensive Insurance Disclosure Act (the “Act”)

FINRA to Prioritize Cryptocurrency, Options Account Paperwork, and Expungement Reform in 2022

By Michael P. O'Mullan Riker Danzig LLP January 24 , 2022

During a January 19, 2021, webinar with the SIFMA Compliance & Legal Society, FINRA president and CEO Robert Cook discussed with participants FINRA’s priorities for 2022.

More From Cybersecurity

Regulating Cybersecurity across the EU and the UK

By Romain Perray McDermott Will & Emery January 12 , 2023

On November 28, 2022, the Council of the European Union formally adopted the Network and Information Security 2 Directive (NIS 2 Directive), replacing the current NIS Directive (Directive 2016/1148/EC).

NYDFS Proposes Significant Changes to Its Cybersecurity Regulation

By Timothy A. Butler Greenberg Traurig January 06 , 2023

On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies.

FTC Delays Compliance Date of the Safeguards Rule

By Timothy A. Butler Greenberg Traurig January 05 , 2023

On Nov. 15, 2022, the Federal Trade Commission (FTC) announced that it is delaying the effective date of its recent amendments to the Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act (GLBA).

Featured Stories