June 30, 2021

To: All New York State Regulated Entities

Re: Ransomware Guidance

The ransomware crisis threatens every financial services company and their customers.  And a major ransomware attack could cause the next great financial crisis.  A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system.  This could happen either through an exploitation of a vulnerability in widely used software to attack many companies at once – as seen recently for SolarWinds and Microsoft Exchange – or through a single ransomware attack that disables critical infrastructure for financial services, such as a cloud services provider or a regional power grid.

As ransomware attacks continue to grow in number, scope, and sophistication, they are fueling a sharp increase in the cost of cybercrime.  Homeland Security Secretary Alejandro Mayorkas recently stated that “the rate of ransomware attacks increased 300% in 2020.”^[1]  Ransomware is costly because it is the most disruptive cybercrime.  Unlike cybercrime focused on theft, ransomware sidelines organizations – it shuts down hospitals, schools, and companies.  It prevents consumers from getting services, patients from receiving care, and employees from working.  Since mid-2020, ransomware criminals usually also steal data before deploying ransomware so that they can extort victims by threatening to publish the data – so-called “double extortion.” 

As the Department of Financial Services (“the Department” or “DFS”) noted in the Cyber Insurance Risk Framework in February 2021, the cost of ransomware has also shaken up the cyber insurance market.  Because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020.^[2]  Increasing costs are impacting premiums and the scope of coverage.  More encouragingly, rising costs are also pressuring insurers to be more rigorous in assessing the cybersecurity of their customers and pricing insurance according to that risk.

The rise of ransomware has been fueled by the ever-growing payments made by ransomware victims.  Cybercriminals keep demanding larger sums – ransom demands increased 171% from 2019 to 2020 and continue to grow.^[3]  A major insurer, CNA, recently paid a $40 million ransom.^[4]  These extortion payments have funded more frequent and more sophisticated ransomware attacks.  Cybercriminals use these payments to finance a ransomware industry by developing more sophisticated hacking and ransomware tools and recruiting more hackers and other cybercriminals into ransomware enterprises.

The Department, like the FBI, recommends against paying ransoms.  Paying ransoms encourages and funds future ransomware attacks, and may also risk violating OFAC sanctions.^[5]  Experts have also reported that in many cases even when victims paid, companies have not been able to regain access to all of their data and  their data was later leaked anyway.^[6]  Furthermore, a recent study found that 80% of victim organizations who paid a ransom experienced subsequent attacks.^[7] 

The good news is that most ransomware attacks can be prevented.  The Department has investigated each ransomware attack reported by a DFS-regulated company and consulted extensively with experts.  Ransomware criminals are repeatedly using the same handful of techniques.  Each step in this playbook has known cybersecurity countermeasures, which if implemented effectively will substantially reduce the risk of a successful ransomware attack.  These key cybersecurity controls are summarized below.

Each company should implement a cybersecurity program that is proportionate to its resources and risk.  But regardless of a company’s size or complexity, key cyber hygiene measures must be in place to mitigate the risk of a successful attack.  Given the substantial risk that now exists, every DFS-regulated company should seek to implement the controls outlined in this Guidance to the extent possible. 

We recognize that implementing some controls is more challenging for small businesses, but failing to do so may ultimately result in greater losses as small businesses are frequently targets for ransomware and other cybercrimes precisely because they are often more vulnerable.^[8]  The Department has partnered with the Global Cyber Alliance (GCA) to promote the GCA’s Cybersecurity Toolkit for Small Business, and the federal Cybersecurity and Infrastructure Security Agency also has resources for small and medium sized businesses.   

This Guidance is part of the Department’s broader effort to address the risk of ransomware.  The Department is also considering revising its Cybersecurity Regulation to address the evolution in cyber risk.  Drafted in 2016 and 2017, the Department’s ground-breaking Cybersecurity Regulation mandated a handful of specific controls that were widely accepted as necessary minimum controls at the time – for example, Multi-Factor Authentication (“MFA”) for remote access and encryption.  Given the evolving and more dangerous threat landscape that exists in 2021, the Department is evaluating what additional controls should be added to its Cybersecurity Regulation.  The Department welcomes engagement with industry and experts on revisions to its Cybersecurity Regulation.

Ransomware & New York’s Financial Services Industry

From January 2020 through May 2021, DFS-regulated companies have reported 74 ransomware attacks.  These attacks ranged in impact, from crippling days-long shutdowns to minor disruption from temporary loss of a few computers.  17 companies paid a ransom.  The Department has also received a growing number of third-party Cybersecurity Events – where ransomware attacks against a critical vendor disrupt the operations of a regulated company. 

The Department followed up on each of these 74 ransomware incidents to collect information such as the details of the forensic investigation, whether a ransom was paid, and the incident’s impact on sensitive data and company operations.  These ransomware incidents all followed a similar pattern.  Hackers gained entry to the victim’s network using one of three techniques: 1) phishing, 2) exploiting unpatched vulnerabilities, or 3) exploiting poorly secured Remote Desktop Protocols (“RDPs”).^[9]  After gaining access to the network, hackers escalate privileges by obtaining access to administrator (or privileged user and privileged service) accounts.  Hackers typically escalate privileges by stealing encrypted (“hashed”) passwords and then employing password cracking tools on their own computers to decipher stolen passwords.  Hackers then use privileged access to deploy ransomware, circumvent security controls, and target backups.

Reporting Ransomware to the Department

Given that ransomware attacks inherently pose significant risks to the confidentiality, integrity, and availability of an organization’s data, regulated companies should assume that any successful deployment of ransomware on their internal network should be reported to DFS “as promptly as possible and within 72 hours at the latest,” pursuant to 23 NYCRR § 500.17(a).  Likewise, any intrusion where hackers gain access to privileged accounts should be reported.  The Department is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.

Preventing Ransomware

There are specific security controls that can address each of the weaknesses commonly exploited by ransomware criminals.  These controls, when implemented together, significantly reduce the risk of a successful ransomware attack.  A multi-layered approach to cybersecurity – often referred to as “defense in depth” – helps to thwart ransomware and other intrusions at each stage of an attack.  The Department expects regulated companies to implement these controls whenever possible. 

1: Email Filtering and Anti-Phishing Training

Employee awareness of their network security obligations and anti-phishing training, in particular, are critical.  Required cybersecurity awareness training pursuant to 23 NYCRR § 500.14(b) should include recurrent phishing training, including how to spot, avoid, and report phishing attempts.  Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary.

Emails should be filtered to block spam and malicious attachments/links from reaching users. 23 NYCRR § 500.3(h).

2: Vulnerability/Patch Management

Companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure.  23 NYCRR § 500.03(g).  The program should include periodic penetration testing.  23 NYCRR § 500.05(a).  Timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities.  Vulnerability management should include requirements for timely application of security patches and updates.  Wherever possible, regulated companies should enable automatic updates.

3: Multi-Factor Authentication (“MFA”)

MFA protects user accounts and can prevent hackers from obtaining access to the network and from escalating privileges once in the network.  MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by 23 NYCRR § 500.12.  All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.  23 NYCRR §§ 500.03(d) & (g); 500.12.

4:  Disable RDP Access

Regulated entities should disable RDP access from the internet wherever possible.  23 NYCRR § 500.03(g).  If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.

5: Password Management

Regulated companies should ensure that strong, unique passwords are used.  23 NYCRR § 500.03(d).  Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords.  Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords.  Password caching should be turned off wherever possible.

6: Privileged Access Management

Regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job.  23 NYCRR §§ 500.03(d); 500.07.  Privileged accounts should be carefully protected.  As noted above, privileged accounts should universally require MFA and strong passwords.  Companies should also maintain and periodically audit an inventory of all privileged accounts.  Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc. 

Privileged service accounts are a frequent source of compromise and should not be overlooked. Service accounts should have the same or more restrictive access controls as equivalent user accounts. 

7: Monitoring and Response

Regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity.  23 NYCRR § 500.03(h).  Regulated companies should implement an Endpoint Detection and Response (“EDR”) solution, which monitors for anomalous activity.  Advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint. EDR can also facilitate incident response.

Companies with larger and more complex networks should also have lateral movement detection and a Security Information and Event Management (SIEM) solution that centralizes logging and security event alerting.

Preparing for an Incident

8:  Tested and Segregated Backups

Regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a ransomware attack.  23 NYCRR §§ 500.03(e), (f), and (n).  To prevent hackers from deleting or encrypting backups, at least one set of backups should be segregated from the network and offline.  It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed. 

9:  Incident Response Plan

Regulated companies should have an incident response plan that explicitly addresses ransomware attacks.  23 NYCRR § 500.16.  The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident.