Ransomware attacks have been soaring in frequency and severity, affecting companies, government agencies, and nonprofits and leading to larger and larger ransom demands as a condition for unlocking the victim’s information systems. On June 30, 2021, the New York State Department of Financial Services (NYDFS) issued guidance on how potential victims can minimize the risk of a successful ransomware attack. While the controls are officially characterized as guidance, NYDFS makes clear that it "expects regulated companies to implement" the preventative controls, in particular, "whenever possible." Companies not regulated by NYDFS should also consider implementing the guidance, since they are just as susceptible to ransomware attacks and the NYDFS guidance may be considered by other regulators and courts as contributing to a general standard of reasonable security in the face of this growing cyber threat.
NYDFS reported that from January 2020 through May 2021, NYDFS-regulated companies reported 74 ransomware attacks ranging "from crippling days-long shutdowns to minor disruption from temporary loss of a few computers." In addition, NYDFS reported a "growing number of third-party Cybersecurity Events – where ransomware attacks against a critical vendor disrupt[ed] the operations of a regulated company."
NYDFS's guidance highlights nine controls to prevent or respond to ransomware attacks:
- "Email Filtering and Anti-Phishing Training"
- Companies should provide their workforce with "recurrent phishing training, including how to spot, avoid, and report phishing attempts." They "should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary." Lastly, companies should ensure that emails are "filtered to block spam and malicious attachments/links from reaching users."
- "Vulnerability and Patch Management"
- Companies should implement "a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure." This "program should include periodic penetration testing." In addition, companies should ensure that "[v]ulnerability management include[s] requirements for timely application of security patches and updates” and "[w]herever possible … automatic updates" should be enabled.
- "Multi-Factor Authentication ('MFA')"
- The guidance reminds regulated companies that "MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by" the NYDFS Cybersecurity Regulation. The ransomware guidance recommends that companies expand the use of MFA to "[a]ll logins to privileged accounts, whether remote or internal."
- "Disable RDP Access"
- Remote Desktop Protocol (RDP) access should be disabled whenever possible. However, if "RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and [companies should] require MFA as well as strong passwords."
- "Password Management"
- "Regulated companies should ensure that strong, unique passwords are used." In particular, "passwords of at least 16 characters" should be used and "commonly used passwords" should be banned. Larger organizations should "consider a password vaulting PAM (privileged access management) solution" that would require "employees to request and check out passwords." Finally, companies should disable "password caching" wherever possible.
- "Privileged Access Management"
- Companies should implement "the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job." In addition, they "should universally require MFA and strong passwords" for privileged accounts and "maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc."
- "Monitoring and Response"
- "Regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity." As part of such efforts, companies should "implement an Endpoint Detection and Response ('EDR') solution, which monitors for anomalous activity. … Companies with larger and more complex networks should also have lateral movement detection and a Security Information and Event Management (SIEM) solution that centralizes logging and security event alerting."
- "Tested and Segregated Backups"
- "Regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack." In addition, "at least one set of backups should be segregated from the network and offline" to ensure backups are not compromised by the attack. Finally, companies should "periodically test backups by actually restoring critical systems from backups" so that backups "actually work when needed."
- "Incident Response Plan"
- Companies should implement an "incident response plan that explicitly addresses ransomware attacks," and regularly test the plan, with involvement of senior leadership.
NYDFS' guidance also recommends against the payment of ransoms to attackers. NYDFS' position on this issue is in line with that of the FBI, which also recommends against the payment of ransoms. Companies should also closely consider the advisories of the Treasury Department's Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) on the sanctions and anti-money laundering (AML) risks of making or facilitating ransomware payments, as we have previously addressed.
Finally, NYDFS' guidance advises that "any successful deployment of ransomware on a [regulated company's] internal network should be reported to DFS 'as promptly as possible and within 72 hours at the latest.'" It also recommends that "any intrusion where hackers gain access to privileged accounts" should be reported.