Privacy & Information Security Law Blog

On June 30, 2021, the New York State Department of Financial Services (“NYDFS,” the “Department”) issued guidance to all New York state regulated entities on ransomware (the “Guidance”), identifying controls it expects regulated companies to implement whenever possible.

To help prevent successful ransomware attacks, the Department outlines a playbook of known cybersecurity countermeasures and controls. Notably, the guidance states that, given the substantial risk from ransomware, “every NYDFS-regulated company should seek to implement the controls outlined in this Guidance to the extent possible.”

With respect to reporting ransomware incidents to the Department, the Guidance provides that because such attacks pose an inherent risk to the confidentiality, integrity and availability of an organization’s data, regulated entities should assume that any successful deployment of ransomware on their internal network should be reported to NYDFS as promptly as possible and within 72 hours at the latest. The Department noted it may expressly mandate this in its reporting requirements going forward.

With respect to ransomware prevention, the Department expects regulated companies to implement the following controls whenever possible:

• Email filtering and anti-phishing training for employees, including regular exercises and blocking malicious attachments and links;
• Vulnerability and patch management, including a documented program to identify, assess, track and remediate vulnerabilities on all enterprise assets;
• Multi-Factor Authentication, including for all logins to remote or internal privileged accounts;
• The disabling of Remote Desktop Protocol (“RDP”) access wherever possible, and if RDP is deemed necessary, restricting access only to whitelisted originating sources;
• Privileged access management, including implementing the principle of least privileged access;
• A way to monitor systems and respond to suspicious activity alerts, including an Endpoint Detection Response (“EDR”) solution;
• Comprehensive, segregated backups that will allow for recovery in the event of a ransomware attack; and
• An incident response plan that explicitly addresses ransomware attacks and will undergo testing, including with the involvement of senior leadership.

The Department noted that it also is considering revisions to its Cybersecurity Regulation to address the evolving cyber threat landscape, and that it welcomes engagement with industry and experts on revisions to the NYDFS Cybersecurity Regulation. Additionally, NYDFS notes that it, like the FBI, recommends against paying ransoms.