New York Department of Financial Services Announces New Guidance on Ransomware Prevention

Jones Day

Jones Day

On June 30, 2021, the New York Department of Financial Services ("NYDFS") identified key cybersecurity measures to prevent and prepare for ransomware attacks.

The NYDFS announced new guidance that it recommends regulated financial entities implement to reduce the risk of ransomware attacks. The guidance is in response to a significant increase of ransomware attacks reported by regulated entities to the NYDFS since January 2020. According to the NYDFS, ransomware attacks increased by 300% in 2020. 

Specifically, the NYDFS recommends that entities implement seven measures to manage the risk of ransomware attacks:

  1. Train employees on cybersecurity awareness and anti-phishing and conduct periodic phishing exercises; 
  2. Implement a vulnerability and patch management program that includes periodic penetration testing, timely application of security patches, and automatic updates;
  3. Use multi-factor authentication ("MFA") for remote access to the network and all externally exposed enterprise and third-party applications;
  4. Disable remote desktop access wherever possible, and if deemed necessary, use MFA and strong passwords where remote access is needed from approved originating sources; 
  5. Require strong, unique passwords of at least 16 characters. Larger entities should strongly consider a password vaulting privilege access management solution which requires employees to check out passwords; 
  6. Implement privileged access management based on the principle of least privileged access; 
  7. Monitor systems for intruders, respond to suspicious activity, and consider an Endpoint Detection and Response solution. Larger entities should implement lateral movement detection and a Security Information and Event Management solution.

In preparation for a ransomware attack the NYDFS recommends that entities test and maintain comprehensive, segregated, and offline backups to allow for recovery in case of a successful attack. The guidance also recommends that entities implement an incident response plan that explicitly addresses ransomware attacks, and that senior leadership test the plan.

Not surprisingly, the NYDFS recommends against paying a ransom. Because ransomware attacks can present significant risks to the confidentiality, integrity, and availability of regulated companies’ data, the NYDFS directs regulated companies to assume that a successful deployment of ransomware on their internal network should be reported to the NYDFS within 72 hours. Entities also should report intrusions in which hackers gain access to privileged accounts. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.