NY DFS issues new guidance on ransomware

On the eve of a long holiday weekend, serendipitously, just before announcement of the Kaseya attack, the New York State Department of Financial Services (NY DFS) issued new Ransomware Guidance for regulated companies on preventing successful ransomware attacks. The Guidance identifies specific cybersecurity safeguards controls, which NYDFS’s press release states should “significantly reduce the risk” of ransomware attacks and “should be implemented by companies wherever possible.” NY DFS cites a 300% rise in ransomware attacks in 2020 as a significant reason for the guidance, but a review of the emphasized safeguards suggests that NY DFS clearly had recent incidents in mind, including the Colonial Pipeline attack, as well as the specifically named Solar Winds and Microsoft Exchange attacks.

NY DFS states that “[e]ach company should implement a cybersecurity program that is proportionate to its resources and risk. . . . Given the substantial risk that now exists, every DFS-regulated company should seek to implement the controls outlined in this Guidance to the extent possible.” The safeguards and controls NY DFS “expects regulated companies to implement. . . . whenever possible” are as follows:

  1. Employees in Cybersecurity Awareness and Anti-Phishing. Citing required cybersecurity awareness training under 23 NYCRR § 500.14(b), NY DFS states that training “should include recurrent phishing training, including how to spot, avoid, and report phishing attempts.” In addition, companies should “conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails,” and conduct remedial training as necessary. Emails also should be filtered to block spam and malicious attachments. (Citing 23 NYCRR § 500.3(h).)
  2. Vulnerability/Patch Management. Organizations must “have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure,” and to conduct “periodic penetration testing.”  (Citing 23 NYCRR §§ 500.03(g), 500.05(b).) According to NY DFS, “[t]imely remediation of vulnerabilities is essential and requires strong governance,” and that vulnerability management “should include requirements for timely application of security patches and updates.”  Wherever possible, regulated companies should enable automatic updates.
  3. Multi-Factor Authentication (“MFA”). Perhaps inspired by the Colonial Pipeline attack, and citing MFA requirements for remote access and for externally exposed enterprise and third-party applications under 23 NYCRR § 500.12, NY DFS advises that “[a]ll logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.” (Also citing 23 NYCRR §§ 500.03(d) & (g); 500.12.)
  4. Disable Remote Desktop Protocols (RDP) Access. Perhaps also inspired by Colonial Pipeline, and citing  23 NYCRR § 500.03(g), NY DFS espouses that “[r]egulated entities should disable RDP access from the internet wherever possible.” If a RDP access is necessary, NY DFS advises that such “access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.”
  5. Password Management. Strong and unique passwords are required under 23 NYCRR § 500.03(d). NY DFS now states that [p]rivileged user accounts should require passwords of at least 16 characters and ban commonly used passwords.” Large organizations “with dozens or hundreds” of privileged user or service accounts should “strongly consider a password vaulting PAM (privileged access management) (see #6 below) solution which requires employees to request and check out passwords.” In addition, password caching should be turned off wherever possible.
  6. Privileged Access Management. NY DFS advises that companies should implement the principle of least privileged access. (Citing 23 NYCRR §§ 500.03(d); 500.07.)  Privileged accounts also should “universally require MFA and strong passwords.” Further, privileged accounts should be employed only for tasks that require the elevated privileges; “administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.” Companies should also maintain and periodically audit an inventory of all privileged accounts. NY DFS also advises that privileged service accounts also are “a frequent source of compromise,” and should have the same or more restrictive access controls as equivalent user accounts. 
  7. Monitoring and Response. Companies must monitor their systems for intruders and respond to suspicious activity.  (Citing 23 NYCRR § 500.03(h).) NY DFS states that companies “should implement an Endpoint Detection and Response (‘EDR’) solution, which monitors for anomalous activity.” NY DFS also advises that companies with large and complex networks should also have lateral movement detection and a Security Information and Event Management (“SIEM”) solution that centralizes logging and security event alerting.
  8. Tested and Segregated Backups. NY DFS states that companies “should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack.” (Citing 23 NYCRR §§ 500.03(e), (f), and (n).) NY DFS now advises, “[t]o prevent hackers from deleting or encrypting backups, at least one set of backups should be segregated from the network and offline.” The Guidance also notes the importance of periodically testing backups “by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.”  
  9. Incident Response Plan. 23 NYCRR § 500.16 requires companies to have an incident response plan. NY DFS advises that the incident response plan “should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident.”

What does this mean? No doubt, the controls and safeguards emphasized by NY DFS in its latest guidance were inspired by specific ransomware attacks. The fingerprints are there, one just needs to look closely. Yet, the safeguards suggested are not that earth-shattering. In fact, other organizations and regulators have given them emphasis for several years.

More noteworthy, in some ways, is NY DFS’s observation that that ransomware has caused loss ratios on cyber insurance to increase “from an average of 42% during 2015-2019 to 73% in 2020,” thereby leading to increased costs that are affecting premiums and the scope of coverage. NY DFS notes that, “[m]ore encouragingly, rising costs are also pressuring insurers to be more rigorous in assessing the cybersecurity of their customers and pricing insurance according to that risk.” The wording of this last point is curious. Like in its Cyber Insurance Framework, is NY DFS suggesting (or implying) that carriers have a responsibility or expectation to ensure the cyber hygiene of their prospective policyholders? Will NY DFS shift its attention to underwriting as a way to solve cyber hygiene in the marketplace? Or is NY DFS merely reporting on the implementation of more rigorous underwriting practice by more  insurers? If so, what are prospective policyholders doing to prepare?