On June 30, 2021, the New York Department of Financial Services ("NYDFS") identified key cybersecurity measures to prevent and prepare for ransomware attacks.
The NYDFS announced new guidance that it recommends regulated financial entities implement to reduce the risk of ransomware attacks. The guidance is in response to a significant increase of ransomware attacks reported by regulated entities to the NYDFS since January 2020. According to the NYDFS, ransomware attacks increased by 300% in 2020.
Specifically, the NYDFS recommends that entities implement seven measures to manage the risk of ransomware attacks:
In preparation for a ransomware attack the NYDFS recommends that entities test and maintain comprehensive, segregated, and offline backups to allow for recovery in case of a successful attack. The guidance also recommends that entities implement an incident response plan that explicitly addresses ransomware attacks, and that senior leadership test the plan.
Not surprisingly, the NYDFS recommends against paying a ransom. Because ransomware attacks can present significant risks to the confidentiality, integrity, and availability of regulated companies’ data, the NYDFS directs regulated companies to assume that a successful deployment of ransomware on their internal network should be reported to the NYDFS within 72 hours. Entities also should report intrusions in which hackers gain access to privileged accounts.