On June 30, 2021, the New York State Department of Financial Services (NYDFS) issued Ransomware Guidance to financial services companies, identifying key cybersecurity measures to reduce the risk of a ransomware attack. Ransomware poses an existential threat to the confidentiality, integrity, and availability of an organization’s data, and, in doing so, to the organization itself. In response to this inherent risk, the NYDFS issued guidance to covered financial services companies1 to bolster their internal cyber defenses. The NYDFS echoes the federal government’s position,2 which discourages victims from paying ransomware, arguing that it encourages future ransomware payment demands but also may risk violating Office of Foreign Assets Control (OFAC) regulations. NYDFS is also considering revising its 2016 and 2017 Cybersecurity Regulations to address the evolving and increasingly dangerous threat of ransomware.
In developing its guidance, the NYDFS examined 74 reported ransomware attacks that occurred in 2021. In each occasion, cyber criminals were able to gain access to computer systems through phishing, exploiting unpatched vulnerabilities, or exploiting poorly secured desktop protocols. In light of these findings the NYDFS advised covered financial services companies to implement measures related to prevention, incident response and recovery, and reporting.
The NYDFS advised on a multilayered cybersecurity approach and for regulated companies to implement the following controls “whenever possible.” Key prevention measures outlined by NYDFS include:
The NYDFS also advised regulated companies to have plans ready in the event of a successful attack. This includes maintaining comprehensive, segregated backups that are periodically tested and that will allow recovery in the event of a ransomware attack. NYDFS also advised having an incident response plan that explicitly addresses ransomware attacks.10
The NYDFS reminds regulated companies that they should assume that any successful deployment of ransomware on their internal network should be reported to NYDFS as promptly as possible and within 72 hours at the latest.11 Moreover, any intrusion where hackers gain access to privileged accounts should also be reported.
Unmanaged cyber risks can compromise your organization’s mission and erode your enterprise’s value. Guidehouse’s Cybersecurity Solutions enable our clients to establish high-performing cybersecurity operations to protect critical data and services. If you should need advice and support for data protection and security, Guidehouse has a robust cybersecurity practice that supports the key elements for data protection. Our cybersecurity advisors guide clients through complex technology, business, and enterprise risk management scenarios. We offer cybersecurity solutions to help our clients establish and optimize their information security operations to be better prepared to address current—and future—technology risks. Such solutions include:
Guidehouse can quickly review and assess your cybersecurity program to determine whether it is sound, identify gaps or weaknesses, and conduct training. Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened risks.