The NYDFS Issues New Guidance On Ransomware Attacks

As the Department of Financial Services noted in the Cyber Insurance Risk Framework in February 2021, the cost of ransomware attacks has also shaken up the cyber insurance market.  Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020. 

Cybercriminals keep demanding larger sums – ransom demands increased 171% from 2019 to 2020 and continue to grow. A major insurer, CNA, recently paid a $40 million ransom.  These extortion payments have funded more frequent and more sophisticated ransomware attacks. 

Due to the rise of ransomware the Department of Financial Services has issued guidelines for companies to fend off cybersecurity risks. This Guidance is part of the Department’s broader effort to address the risk of ransomware.  The Department is also considering revising its Cybersecurity Regulation to address the evolution in cyber risk.  Drafted in 2016 and 2017, the Department’s ground-breaking Cybersecurity Regulation mandated a handful of specific controls that were widely accepted as necessary minimum controls at the time – for example, Multi-Factor Authentication (“MFA”) for remote access and encryption.  Given the evolving and more dangerous threat landscape that exists in 2021, the Department is evaluating what additional controls should be added to its Cybersecurity Regulation. 

From January 2020 through May 2021, DFS-regulated companies have reported 74 ransomware attacks.  These attacks ranged in impact, from crippling days-long shutdowns to minor disruption from the temporary loss of a few computers.  17 companies paid a ransom.  The Department has also received a growing number of third-party Cybersecurity Events – where ransomware attacks against a critical vendor disrupt the operations of a regulated company.

These ransomware incidents followed a similar pattern.  Hackers gained entry to the victim’s network using one of three techniques: 1) phishing, 2) exploiting unpatched vulnerabilities, or 3) exploiting poorly secured Remote Desktop Protocols (“RDPs”).

Reporting Ransomware to the DFS

Given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a).  Likewise, any intrusion where hackers gain access to privileged accounts should be reported.  The Department is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.

What controls does your company need?

There are specific security controls that can address each of the weaknesses commonly exploited by ransomware criminals.  These controls, when implemented together, significantly reduce the risk of a successful ransomware attack. The Department expects regulated companies to implement these controls whenever possible.

1. Email Filtering and Anti-Phishing Training
2. Vulnerability/Patch Management
3. Multi-Factor Authentication
4. Disable RDP Access
5. Password Management
6. Privileged Access Management
7. Monitoring and Response
8. Tested and Segregated Backups
9. Incident Response Plan

Does your company have these controls? Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential. Now is the time to develop a response plan or better yet hire a Cybersecurity expert that helps you create a plan that will implement these controls for you.