The New York Department of Financial Services (NYDFS) issued new guidance this week intended to assist organizations in thwarting ransomware attacks. The guidance clarifies the NYDFS’ expectation that NYDFS-regulated companies should “implement these controls whenever possible” and report any successful deployment of ransomware or unauthorized access to privilege accounts to the NYDFS under its established cybersecurity event reporting regulations. This guidance comes at an inflection point for cybersecurity and ransomware, as “the rate of ransomware attacks increased 300% in 2020,” as recently noted by Homeland Security Secretary Alejandro Mayorkas and as NYDFS continues to focus on the silent and systemic risks posed by ransomware to the financial services sector. In connection with releasing its guidance, the NYDFS warned that ransomware attacks “could cause the next great financial crisis” and “lead to a loss of confidence in the financial system.” Below we outline the key takeaways from the latest NYDFS guidance.
Nine Cybersecurity Controls
Given these risks, the NYDFS issued prescriptive guidance under its Cybersecurity Regulation, urging every NYDFS-regulated company, no matter the size or complexity, to implement the below nine cybersecurity controls, wherever possible. In its guidance, the NYDFS tied each of the controls to pre-existing regulatory requirements within 23 NYCRR Part 500.
1. Email Filtering and Anti-Phishing Training. The guidance interprets the requirements to implement and maintain a written cybersecurity policy including addressing the regulated entity’s “systems and network monitoring” per 23 NYCRR § 500.3(h) to include email filtering “to block spam and malicious attachments/links from reaching users.” Furthermore, companies should include recurring phishing training and periodic phishing exercises/tests as a part of their regular cybersecurity awareness training per 23 NYCRR § 500.14(b).
2. Vulnerability/Patch Management. The guidance makes it clear that the obligation to maintain a written cybersecurity policy should include a “documented program to identify, assess, track, and remediate vulnerabilities on enterprise assets within their infrastructure.” (23 NYCRR § 500.03(g)). The NYDFS recommends that regulated companies enable automatic updates to minimize vulnerabilities and manual patch management. The vulnerability and patch management policy requires periodic penetration testing under 23 NYCRR § 500.5(a). Because the current regulation requires annual rather than periodic penetration testing, this may be one area where NYDFS is considering revising its regulation in the near future to require bi-annual penetration testing, similar to the more standards under PCI-DSS.
3. Multi-Factor Authentication (“MFA”). The guidance emphasizes the effectiveness of MFA from preventing hackers from accessing the regulated entity’s network and reiterates the requirement of MFA for remote access. (23 NYCRR § 500.12(b)). Although the regulation itself contains an exception to MFA implementation, consistent with recent remarks by senior NYDFS Cybersecurity personnel that suggested that acceptable exceptions to the MFA requirement would be fairly limited in practice, the guidance does not acknowledge or refer to the MFA exception in subsection 500.12(b).
4. Disable RDP Access. As a recommended practice, regulated entities should disable RDP access unless it is absolutely necessary.
5. Password Management. As a part of a regulated entity’s access controls and identity management policy (23 NYCRR § 500.3(d)), the guidance suggests the use of strong, unique passwords (neither “strong” nor “unique” are defined). With that said, the guidance does provide more details on password strength regarding “privileged user accounts”, requiring “passwords of at least 16 characters and [a] ban [on] commonly used passwords.” In addition, it recommended against caching passwords and, particularly for large organizations, recommended the implementation of a password vault for privileged user accounts.
6. Privileged Access Management. The guidance recommends that regulated entities provide privileged user accounts to the absolute minimum number of users (23 NYCRR §§ 501.3(d) and 500.7) and implement strong passwords (see #5 above) and MFA (see #3 above) on such accounts.
7. Monitoring and Response. In addition to implementing email filtering as a part of a regulated entity’s written cybersecurity policy (see #1 above), the NYDFS guidance states that per 23 NYCRR § 500.3(h), regulated entities “must have a way to monitor their systems for intruders and respond to alerts of suspicious activity,” such as utilizing an Endpoint Detection and Response solution and, specifically for larger more complex organizations, a Security Information and Event Management tool.
8. Tested and Segregated Backups. In preparation for a ransomware attack, regulated companies should ensure their systems are backed up and that such backups are segregated from the network and offline (23 NYCRR §§ 500.3(e), (f), and (n)). It is critical that these backups are segregated from the network and offline (and the backups are tested), as the hackers almost always try to disable backups, as a means of incentivizing ransom payments.
9. Incident Response Plan. The guidance stipulates that the written incident response plan, as required by 23 NYCRR § 500.16, should explicitly address ransomware attacks and such plan should be tested in advance of any incident (i.e., tabletop exercises).
Under the existing language of the NYDFS Cybersecurity Regulation, regulated entities must report cybersecurity events that have a “reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity” to the NYDFS within 72 hours (23 NYCRR § 500.17(b)). According to the NYDFS, regulated entities should report (1) any successful deployment of ransomware on their internal network and/or (2) “any intrusion where hackers gain access to privileged accounts” to the NYDFS “as promptly as possible and within 72 hours at the latest.” So although the NYDFS has not introduced a new explicit reporting requirement, which presumably would be subject to the formal notice and comment period, the NYDFS has signaled that such formal revisions may be forthcoming with respect to both reporting and other technical compliance aspects of the regulation.
In the interim, this guidance to report such cybersecurity incidents within the pre-existing reporting deadline is consistent with other regulators’ recent requests for licensees to report ransomware, such as the Massachusetts Division of Banks. Further, because this guidance represents the NYDFS’ interpretation of its cybersecurity requirements and reasonable security as applied to ransomware prevention, the guidance could serve as a potential roadmap in the examination, investigation, and enforcement contexts. Accordingly, regulated entities may wish to evaluate the effectiveness of their information security programs, specifically the nine cybersecurity controls set forth in the guidance and their reporting capabilities. Should a regulated entity determine that any of these controls may be infeasible to implement and maintain, such entity may choose to document the infeasibility.
Finally, in an effort to boost cybersecurity controls, the NYDFS has partnered with the Global Cyber Alliance (GCA) to promote GCA’s Cybersecurity Toolkit for Small Business and provides a link to the federal Cybersecurity and Infrastructure Security Agency resource, which may be a particularly helpful resource for small and medium sized businesses.