N.Y.: DFS issues guidance to reduce ransomware attacks

July 8, 2021

Following a large increase in the number of ransomware attacks on businesses, the New York State Department of Financial Services released new guidance on how businesses can reduce the likelihood of the attacks.

These recommendations do not alter the current cyber security regulations that apply to all entities that the DFS regulates. Although the regulations may not require partially exempt entities to implement all the following recommendations, the DFS encourages businesses to consider implementing these practices to prevent potential ransomware attacks.

Per the guidance, the DFS recommends that all regulated entities adopt the following measures:

Email filtering and anti-phishing training. Employee awareness of network security obligations and regular anti-phishing training are critical to securing any network. Additionally, periodic phishing exercises can help employers assess the updated training needs for their companies. These steps are essential for any entity in which multiple employees have access to data systems.

Vulnerability and patch management. The DFS recommends that businesses have a thorough program to assess vulnerabilities in their infrastructures. Periodic penetration testing should be included in the program designed to find, assess and remedy vulnerabilities. Timely updates and patches should be made regularly and automatically, if possible.  

Multifactor authentication. Multifactor authentication is an effective method of restricting access via password cracking because it adds a second layer of security. The DFS recommends that businesses adopt MFA for all privileged accounts—even when the accounts are accessed internally—to reduce the likelihood of a breach and restrict any potential breaches.

Disable RDP access. Employers should limit remote desktop privileges with which an employee can access their work computer remotely through a different device that is potentially on another network. When an entity deems RDP necessary, the DFS recommends restricting access to approved originating sources and require MFA for access.

Password management. Entities should ensure that all employees have strong, unique passwords. The DFS recommends passwords to be at least 16 characters, and for employers to prohibit commonly used passwords. Whenever possible, employers and users should turn off password caching, which is when a web browser saves passwords.

Privileged access management. Entities of all sizes should provide authorized employees with the least privileged access necessary for them to do their jobs. Most employees should have access only to the parts of the system that they need to do their jobs. This limits the number of users with privileged access. Privileged access also should be accompanied by MFA and secure passwords. Entities should review the number of privileged accounts on a regular basis. Even employees with privileged accounts should have a second account for nonprivileged work, such as a computer login.

Monitoring and response. Businesses should have an endpoint detection and response solution to monitor and respond to activities on their systems. EDR can offer varying levels of solutions based on a company’s size and corresponding security needs.

Preparing for an incident

The DFS’s last two recommendations focus on preparing for a potential cyber security incident to limit the breach and enable a timely response.

Tested and segregated backups. Maintaining comprehensive, segregated backups of all company data allow for a much easier recovery in the event of a ransomware attack. To effectively protect the backups from a potential breach, the DFS recommends keeping at least one backup offline and segregated from the company network. Backups also should be tested regularly and updated when appropriate.

Incident response plan. Companies should have an incident response plan that includes how to respond to potential ransomware attacks. This allows for a guided response if an attack occurs, and it should be tested with key decision makers.

Ransomware attacks are more prevalent than ever—and it could happen to your agency. Be sure to follow these guidelines from the DFS because you never know when a ransomware attack could happen to you. The time is now to act quickly.

PIANY has more information on how to comply with DFS cyber regulations and how to protect your agency through PIA’s Privacy Compliance Central. If you have questions, call PIANY at (800) 424-4244 or email the Industry Resource Center.

About the author…

Clare Irvine, Esq.

Clare Irvine, Esq., joined the PIA Government & Industry Affairs team in 2018 as government affairs counsel. She serves as in-house counsel, responsible for managing public affairs agendas in multiple states, tracking legislation, regulations, significant case-law developments and drafting position statements and testimony. She graduated from Fordham University School of Law and Arizona State University.

Related stories…

Share This