NYDFS Issues Ransomware Prevention Guidance for Financial Services Firms
The NYDFS has issued guidance for financial services companies on how to reduce the risk of ransomware attacks - like having a capable endpoint threat detection and response (EDR) solution in place.
The New York State Department of Financial Services - which oversees banks, insurance, and financial services firms in New York state - recently issued guidance for those firms on on ways to reduce the risk of a ransomware attack.
While having backups and an incident response plan in place are some of the ways that NYDFS suggests mitigating an attack, when it comes to actually preventing an attack, the department is stressing the importance of anti-phishing training, multi-factor authentication, and having an endpoint threat detection and response (EDR) solution in place.
The instructions come on the heels of high-profile ransomware attacks against meat manufacturer JBS USA and Colonial Pipeline earlier this summer, attacks that at least temporarily disrupted the country's food and gasoline supply chains. The guidance is the latest education tool the NYDFS has released. Earlier this year the department released a Cyber Insurance Risk Framework to ensure property/casualty insurers are following best practices.
In a letter to regulated entities two weeks ago, NYDFS Superintendent of Financial Services Linda A. Lacewell highlighted the rampant statistics associated with the burgeoning ransomware economy.
"The rise of ransomware has been fueled by the ever-growing payments made by ransomware victims. Cybercriminals keep demanding larger sums – ransom demands increased 171% from 2019 to 2020 and continue to grow," Lacewell wrote, adding that "because of ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020."
Lacewell also used the letter as an opportunity to recap how financial services companies have fared over the last year; according to the letter, DFS-regulated companies reported 74 ransomware attacks, 17 of them paid a ransom.
Perhaps the most interesting part of the letter is Lacewell's acknowledgement that the department is considering revising its Cybersecurity Regulation to reflect the changing cybersecurity times, especially trends like the uptick in ransomware.
The first of its kind when it took effect in 2017, the NYDFS Cybersecurity Regulation serves as a benchmark for financial services companies that operate in New York when it comes to data security, assessing risk, and overseeing a cybersecurity program.
The groundwork for the regulation was laid almost five years ago at this point, so it's not a complete surprise that the department is looking to retool it.
“Drafted in 2016 and 2017, the Department’s ground-breaking Cybersecurity Regulation mandated a handful of specific controls that were widely accepted as necessary minimum controls at the time… Given the evolving and more dangerous threat landscape that exists in 2021, the Department is evaluating what additional controls should be added to its Cybersecurity Regulation.”
To prevent ransomware, the NYDFS is encouraging banks, insurance firms, and financial firms to implement the following controls:
- Organizations should train employees on how to spot, avoid, and report phishing attempts. Email should be filtered to block spam and malicious attachments.
- Companies should have a program in place to identify, assess, track, and remediate vulnerabilities on all enterprise assets. A robust vulnerability management program should be in place that involves timely application of patches and updates, automatic, if possible.
- Multi-factor authentication should be deployed for employees who depend on remote access to the organization's network. All logins should require MFA.
- RDP or Remote Desktop Protocol access should be disabled.
- Strong, unique passwords should be used. Privileged user accounts should require passwords of 16 characters. Larger organizations should look into a password vaulting PAM (privileged access management) solution
- Organizations should use privileges access management to safeguard credentials for privileged accounts. Audits should be carried out periodically to ensure accounts are protected and being used for the correct tasks.
- Companies need a way to monitor their systems for intruders, ideally through an endpoint detection and response solution. Larger networks should consider having a way to detect lateral movement and a Security Information and Event Management (SIEM) solution to centralize logging and security event alerting.
To best prepare for a ransomware incident, NYDFS is encouraging organizations to:
- Have tested and segregated - one from the network and offline - backups to use in the event of an attack.
- Have an incident response plan that includes a plan in the event of a ransomware attack. This plan should be tested before the actual attack.