NYDFS Issues Ransomware Guidance

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

The New York State Department of Financial Services recently announced new guidance addressing ransomware attacks, and highlighting cybersecurity measures to significantly reduce the risk of an attack. The guidance comes as ransomware rates have been increasing, and builds on the post SolarWinds guidance from NYDFS about supply chain management. It was released just prior to the most recent large attack, namely the July 2nd supply-chain ransomware attack centered on the U.S. information technology firm Kaseya.

The guidance was generated from reports to NYDFS of 74 ransomware attacks from NYDFS-regulated companies between January 2020 and May 2021 which it said followed a similar pattern: “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” NYDFS – in step with the FBI – recommends against paying ransoms because such payments (i) may violate the Treasury’s OFAC sanctions, (ii) do not guarantee that the company will regain access to all its data, or that the company’s data will not be leaked later anyway, and (iii) will likely not prevent subsequent attacks. Instead, in the guidance NYDFS urged all regulated entities to implement the following multi-layered approach to cybersecurity:

  • Train employees about email filtering and anti-phishing;
  • Implement a vulnerability and patch management program;
  • Use multi-factor authentication;
  • Disable RDP access from the internet wherever possible;
  • Use strong, unique passwords;
  • Employ privileged access management so that each user has the minimum level of access necessary to perform the job;
  • Monitor systems for intruders;
  • Segregate and test backups; and
  • Include a ransomware-specific incident response plan that is tested.

Putting it Into Practice: This guidance is a reminder that while supply-chain cybersecurity threats have been gaining headlines, cyberattacks can and do just still occur as a result of phishing attacks, human error, and failures in controls. Teaching employees about good cyber hygiene helps to mitigate the risk that employees will fall prey to sophisticated phishing or socially-engineered fake emails. Companies should couple their employee cybersecurity training with the implementation of a robust cybersecurity program that utilizes diversified security measures and tests controls to ensure system endpoints are protected from threats.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.