The New York State Department of Financial Services ("NYDFS") issued new guidance on ransomware prevention. NYDFS highlighted cybersecurity measures to significantly reduce the risk of an attack.
In an industry letter, the NYDFS recommended - in step with the FBI - against paying ransoms because such payments (i) may violate the Treasury's OFAC sanctions, (ii) do not guarantee that the company will regain access to all its data, or that the company's data will not be leaked later anyway, and (iii) for most of those that paid, did not prevent subsequent attacks. The NYDFS indicated that it received reports of 74 ransomware attacks from DFS-regulated companies between January 2020 and May 2021, and it found that all the incidents followed a similar pattern: hackers (i) enter a victim's network through phishing, or exploiting unpatched vulnerabilities or poorly secured Remote Desktop Protocols ("RDPs"), (ii) obtain administrator privileges after gaining access to the network, and then (iii) deploy ransomware, bypass security controls and target backups.
The NYDFS urged all regulated entities to implement a multi-layered (or "defense in depth") approach to cybersecurity by:
- training employees about email filtering and anti-phishing;
- implementing a vulnerability and patch management program;
- using multi-factor authentication;
- disabling RDP access from the internet wherever possible;
- ensuring the use of strong, unique passwords;
- employing privileged access management (i.e., each account is given the minimum level of access necessary to perform the job);
- monitoring their systems for intruders;
- segregating and testing backups; and
- having a ransomware-specific incident response plan that is tested, including by senior leadership.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
