New York State Department of Financial Service’s Ransomware Guidance

On June 30, 2021, the New York State Department of Financial Services (NYDFS) issued Ransomware Guidance to financial services companies, identifying key cybersecurity measures to reduce the risk of a ransomware attack. Ransomware poses an existential threat to the confidentiality, integrity, and availability of an organization’s data, and, in doing so, to the organization itself. In response to this inherent risk, the NYDFS issued guidance to covered financial services companies1 to bolster their internal cyber defenses. The NYDFS echoes the federal government’s position,2  which discourages victims from paying ransomware, arguing that it encourages future ransomware payment demands but also may risk violating Office of Foreign Assets Control (OFAC) regulations. NYDFS is also considering revising its 2016 and 2017 Cybersecurity Regulations to address the evolving and increasingly dangerous threat of ransomware.

Key Points

In developing its guidance, the NYDFS examined 74 reported ransomware attacks that occurred in 2021. In each occasion, cyber criminals were able to gain access to computer systems through phishing, exploiting unpatched vulnerabilities, or exploiting poorly secured desktop protocols. In light of these findings the NYDFS advised covered financial services companies to implement measures related to prevention, incident response and recovery, and reporting. 

Prevention

The NYDFS advised on a multilayered cybersecurity approach and for regulated companies to implement the following controls “whenever possible.” Key prevention measures outlined by NYDFS include:

  1. Regular training of employees in cybersecurity awareness and anti-phishing including conducting periodic phishing exercises.3
  2. Employing a vulnerability and patch management program, which includes periodic penetration testing, strong governance, timely application of security patches and updates, and where possible, regulated companies should enable automatic updates.4
  3. Using multi-factor authentication (MFA) for remote access and particularly for privileged accounts, which should require MFA whether an employee is remote or internal.5
  4. Disabling Remote Desktop Protocol access wherever possible.6
  5. Requiring strong, unique passwords—larger organizations should strongly consider a password-vaulting privileged access management solution.7
  6. Users should have the minimum level of access necessary to perform their jobs and privileged accounts should be inventoried and periodically audited.8
  7. Implementing a robust Endpoint Detection and Response. For complex organizations, NYDFS also advised implementation of lateral movement detection and a Security Information and Event Management solution that centralizes logging and security event alerting.9

Incident Response and Recovery

The NYDFS also advised regulated companies to have plans ready in the event of a successful attack. This includes maintaining comprehensive, segregated backups that are periodically tested and that will allow recovery in the event of a ransomware attack. NYDFS also advised having an incident response plan that explicitly addresses ransomware attacks.10

Reporting

The NYDFS reminds regulated companies that they should assume that any successful deployment of ransomware on their internal network should be reported to NYDFS as promptly as possible and within 72 hours at the latest.11 Moreover, any intrusion where hackers gain access to privileged accounts should also be reported. 

How Can Guidehouse Help? 

Unmanaged cyber risks can compromise your organization’s mission and erode your enterprise’s value. Guidehouse’s Cybersecurity Solutions enable our clients to establish high-performing cybersecurity operations to protect critical data and services. If you should need advice and support for data protection and security, Guidehouse has a robust cybersecurity practice that supports the key elements for data protection. Our cybersecurity advisors guide clients through complex technology, business, and enterprise risk management scenarios. We offer cybersecurity solutions to help our clients establish and optimize their information security operations to be better prepared to address current—and future—technology risks. Such solutions include:

  • Cybersecurity Program Assessments.
  • Cybersecurity Risk Assessment and Program Management.
  • Assurance and Testing of Controls.
  • Incident Management and Cyber Resiliency Program Development.
  • Training and Awareness Program Development.
  • Chief Information Security Officer Advisory and Support Services.
  • Regulatory Compliance Management.

Guidehouse can quickly review and assess your cybersecurity program to determine whether it is sound, identify gaps or weaknesses, and conduct training. Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened risks.


1Covered Entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law (23 New York Codes, Rules and Regulations (NYCRR) § 500.01(c)).
2See (OFAC Advisory, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, October 1, 2020, and FinCEN Advisory, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, October 1, 2020).
3 23 NYCRR § 500.14(b).
4 23 NYCRR § 500.03(g); 23 NYCRR § 500.05(b).
5 23 NYCRR § 500.12; 23 NYCRR § 500.03(d).
6 23 NYCRR § 500.03(g).
7 23 NYCRR § 500.03(d).
8 23 NYCRR § 500.12; 23 NYCRR §§ 500.03(d) & (g).
9 23 NYCRR § 500.03(h).
10 23 NYCRR §§ 500.03(e), (f), and (n); 23 NYCRR § 500.16.
1123 NYCRR § 500.17(a).

About the Experts

Back to top