The exponential rise in ransomware attacks in the past year has everyone on high alert, not least of which are regulators. Following on the heels of a June 2, 2021 White House memo addressing ransomware prevention, on June 30, 2021 the New York Department of Financial Services (“NYDFS”) issued new ransomware guidance of its own in response to the increased frequency, scope, and sophistication of the attacks. The guidance explains how proper cybersecurity hygiene as required by New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) can reduce the risk of ransomware incidents, and establishes new reporting requirements around ransomware events.
BACKGROUND ON RISING RANSOMWARE ATTACKS
The rising tide of ransomware has attracted attention at all levels of government. Director of the Federal Bureau of Investigation Christopher Wray likened the danger of this escalating threat to post-9/11 global terrorism. Following the recent Colonial Pipeline attack, President Biden prioritized mitigating ransomware attacks and issued an Executive Order focused on improving the nation’s cybersecurity. The administration urges companies to take action, and the NYDFS is reinforcing this commitment with its new guidance.
The guidance notes that ransomware attacks increased by 300% in 2020, and insurance premiums subsequently increased by 73%. NYDFS-regulated entities have reported at least 74 ransomware attacks since January 2020. Follow-up investigations show these ransomware incidents share a similar pattern: hackers frequently infiltrate an entity’s network by phishing and exploiting vulnerabilities to gain escalated privileges. Hackers then use those privileges to deploy ransomware, avoid security controls, steal data, and disable backups. As the guidance notes, the payments to hackers contribute to a vicious cycle by funding “more frequent and sophisticated ransomware attacks.”
GUIDANCE ON REPORTING REQUIREMENTS
The new NYDFS guidance discusses reporting requirements and preventative measures aimed at mitigating the risk of ransomware attacks.
Most notably, the guidance establishes a de facto mandatory reporting requirement for ransomware events pursuant to 23 NYCRR § 500.17(a). Under that section, covered entities are required to report cybersecurity events to the superintendent no later than 72 hours after the covered entity determines that either (1) the cybersecurity event will require notice “to be provided to any government body, self-regulatory agency or any other supervisory body,” or (2) the cybersecurity event has a “reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” With this guidance, the NYDFS makes clear that the inherent “risks to the confidentiality, integrity, and availability of an organization’s data” posed by ransomware mean covered entities should “assume that any successful deployment of ransomware on their internal network should be reported.” A presumption that any ransomware event requires notification represents a marked departure from the risk-based language of § 500.17(a), and covered entities should take note.
The guidance also outlines practical steps that covered entities should take to help prevent ransomware attacks. While acknowledging that smaller entities may have more difficulty implementing the controls, the NYDFS states that given the “substantial risk that now exists, every NYDFS-regulated company should seek to implement the controls outlined in this guidance to the extent possible.” With this in mind, covered entities should view these guidelines as mandatory (see guidance for complete recommendations):
- Vulnerability/Patch Management. Employ a standardized and documented protocol to identify, track, and address vulnerabilities, including periodic penetration testing;
- Privileged Access Management. Limit access to and safeguard privileged accounts with strong credentials and regular audits;
- Remote Desktop Management. Disable remote desktop protocol access wherever possible;
- Password Management. Use strong, unique passwords. In particular, passwords for privileged user accounts should be at least 16 characters;
- Monitoring and Response. Use endpoint detection and response systems to detect and contain intruders;
- Email Filtering. Block spam and malicious attachments;
- Anti-Phishing Training. Train employees how to spot, avoid, and report phishing attempts;
- Multi-Factor Authentication (MFA). Deploy MFA for remote access to a company’s network and all externally-exposed applications;
- Tested and Segregated Backups. Maintain comprehensive and segregated backups and conduct recovery tests using those backups;
- Incident Response Plan. Implement an incident response plan and test it with senior leadership.
Ransomware attacks are disruptive and costly. While no one can prevent ransomware altogether, the NYDFS guidance reinforces best practices and sets clear expectations for what the NYDFS expects to see in the unfortunate event of a ransomware attack.