Only a few months ago, the New York State Department of Financial Services (NYDFS) published its Cyber Insurance Risk Framework, which announced its expectations of insurers in their capacity as insurers of cyber risks. Now, in the wake of a June 2 White House memorandum entitled "What to Do Now to Prevent Ransomware," NYDFS has published another statement which pivots back to its focus on all New York State-regulated entities as targets of cyber criminals.
On June 30, 2021, NYDFS posted an industry letter on its website to provide "Ransomware Guidance." The letter is not so much guidance as a ratcheting up of NYDFS’s expectations of regulatees in addressing their own vulnerabilities to ransomware. The letter, for the most part, discusses the scope of the challenges and provides a list of nine "security controls" that NYDFS expects its regulatees to adopt. As discussed below, there is considerable, although not total, overlap with the White House memorandum recommendations.
In the letter, NYDFS cites outside sources for its assertion that ransomware attacks increased by 300 percent in 2020 and loss ratios on cyber insurance increased from 42 percent between 2015 and 2019 to 73 percent in 2020.
NYDFS reported in the letter that, as a result of the mandatory cyber event reporting requirements included in its Cyber Regulation, it has investigated 74 ransomware attacks, developed a playbook of ransomware methods and identified "security controls" that "can address each of the weaknesses commonly exploited by ransomware criminals." According to NYDFS, the controls "will substantially reduce” ransomware risk and DFS expects that all regulatees "should seek to implement the controls ... to the extent possible."
Finally, if one were tempted to read this guidance letter as simply a list of suggestions, NYDFS reports that it is so concerned about ransomware and regulatees’ responses that it is considering revising the existing Cyber Regulation to make some or all of the nine security controls mandatory.
The nine security controls
The nine security controls are a "defense in depth" approach, meaning that simply adopting one control is inadequate. NYDFS will expect regulatees to adopt all of the following controls "whenever possible" (separate guidance is provided for smaller businesses):
- Email filtering and anti-phishing training: Regulatees’ email systems should screen suspicious emails and require staff training on phishing.(This is not in the White House recommendations.)
- Vulnerability/patch management: Regulatees "should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. It states that "[w]henever possible, regulated companies should enable automatic updates."
- Multi-factor authentication (MFA): Expanding on the NYDFS Regulation requirement for MFA for accessing a system remotely, NYDFS lists applying MFA for "privileged" accounts to prevent criminals from escalating through an organization’s systems.
- Disable RDP access: Remote desktop protocol access should be disabled.(This is not in the White House recommendations.)
- Password management: Regulatees should require passwords with a minimum of 16 characters and large organizations should "strongly consider a password vaulting PAM (privileged access management) solution"; and regulatees should disable password caching.(This is not in the White House recommendations.)
- Privileged access management: Regulatees should ensure that each account user has the minimum level of system access necessary to his or her job.
- Monitoring and response: "Regulatees should implement an Endpoint Detection and Response (EDR) solution" and larger companies should implement "lateral movement detection and a Security Information and Event Management (SIEM) solution...."
- Tested and segregated backups: Companies should prepare for an attack by maintaining comprehensive backups for recovery purposes.
- Incident response plan: Companies should have a plan in place to address ransomware attacks which is tested and includes senior leadership.
Statements in and the overall tone of the letter suggest that regulatees should expect that current examinations will focus on the implementation of these controls and whether regulatees have reported prior attacks within the timeframe set out in the Cyber Regulation.
Finally, it bears note that the NYDFS guidelines do not address two recommendations in the White House memorandum – segmenting corporate network and production/operational systems to reduce the threat of an operational shut down, and pen-testing. The latter is part of the NYDFS Cyber Regulations. The former bears consideration in light of the increase in operational ransomware attacks.