Superintendent Lacewell Announces DFS Issues New Guidance on Ransomware Prevention

Ransomware Crisis Threatens All Financial Services Companies

DFS Guidance Identifies Key Cybersecurity Measures to Reduce Risk of Ransomware Attacks

Superintendent Linda A. Lacewell today announced that the New York State Department of Financial Services (DFS) has issued new guidance on preventing ransomware attacks. In the guidance, DFS identifies cybersecurity controls that significantly reduce the risk of a ransomware attack and should be implemented by companies wherever possible. 

“As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” said Superintendent Lacewell. “As reported, cybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”

Ransomware incidents have increased in frequency, scope, and sophistication. The reported rate of ransomware attacks increased 300% in 2020. Larger extortion payments have financed the development more effective hacking and ransomware tools and added more hackers to their ranks. The Department therefore joins the FBI in recommending that companies avoid making ransomware payments if their networks are compromised.

DFS has examined the ransomware incidents reported by its regulated entities over the past year and a half and has observed that they follow a similar pattern: hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.

DFS urges all regulated entities to prepare for a ransomware attack by implementing measures such as:

  • Train Employees in Cybersecurity Awareness and Anti-Phishing;
  • Implement a Vulnerability and Patch Management Program;
  • Use Multi-Factor Authentication and Strong Passwords;
  • Employ Privileged Access Management to Safeguard Credentials for Privileged Accounts;
  • Use Monitoring and Response to Detect and Contain Intruders;
  • Segregate and Test Backups to Ensure that Critical Systems Can Be Restored in the Face of an Attack; and
  • Have a Ransomware Specific Incident Response Plan that is Tested by Senior Leadership

The guidance reflects DFS’s commitment to improving cybersecurity and sharing information to protect consumers and the industry.  DFS has also issued multiple alerts regarding ongoing cyber threats, including the SolarWinds Attack, weaknesses in Microsoft Exchange Server, and an ongoing cyber fraud campaign identified by the Department.   

DFS’s first-in-the-nation Cybersecurity Regulation took effect in March 2017.  DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors.  In 2019, DFS was also the first financial services regulator to create a Cybersecurity Division to oversee all aspects of its Cybersecurity Regulation across New York’s financial services industry. 

A copy of the guidance can be found on the DFS website