The powerful New York State Department of Financial Services (DFS) has issued a set of guidelines to help all regulated entities prepare for a ransomware attack.
From January 2020 through May 2021, DFS-regulated companies have reported 74 ransomware attacks, according to the regulator. The new guidance identifies security controls that can reduce the risk of a ransomware hijack and should be implemented by companies “wherever possible,” said Superintendent Linda Lacewell.
The recommended measures include:
- Train employees in cybersecurity awareness and anti-phishing.
- Implement a vulnerability and patch management program.
- Use multi-factor authentication and strong passwords.
- Employ privileged access management to safeguard credentials for privileged accounts.
- Use monitoring and response to detect and contain intruders.
- Segregate and test backups to ensure that critical systems can be restored in an attack.
- Have a ransomware specific incident response plan that is tested by senior leadership.
An expanded version of DFS recommendations is here.
MSPs and MSSPs: Financial Services Clientele and Ransomware Attacks
The guidelines are useful for MSPs and MSSPs supporting financial services firms in New York because they provide a framework for how DFS recommends its regulated entities handle ransomware risk and remediation. “As ransomware attacks continue to surge, implementing cybersecurity measures is critical to protect consumers and business lines,” said Lacewell. “As reported, cyber criminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry. We must all do our part to prevent ransomware incidents.”
DFS has said it agrees with the Federal Bureau of Investigation’s (FBI) position that companies avoid making ransomware payments if their networks are compromised. The regulator is considering revamping its Cybersecurity Regulations, first drafted in 2016 and released in February 2017, to address the extensive changes in cyber risk. Initial rules outlined the requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and making plans to proactively address those risks.
DFS regulates the activities of 1,800 insurance companies and more than 1,400 banking and other financial institutions in New York State, according to the department's website. Examples of DFS covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
According to the financial services regulator’s research, based on input from its regulated entities over the past 18 months an identifiable pattern of infiltration by ransomware hackers emerged:
- Enter a victim’s network.
- Obtain administrator privileges once inside.
- Use those privileges to deploy ransomware, avoid security controls, steal data and disable backups.
While those steps don’t differ from patterns of infection reported by other industries, they do serve as information that contributes to a wider understanding and awareness of the attackers' tactics, techniques and procedures. “Regardless of a company’s size or complexity, key cyber hygiene measures must be in place to mitigate the risk of a successful attack,” officials said. “Given the substantial risk that now exists, every DFS-regulated company should seek to implement the controls outlined in this Guidance to the extent possible.”
DFS has already made it clear its intention to enforce its cybersecurity regulations. A year ago, the financial services unit filed charges against life insurance provider First American Insurance, alleging that it violated DFS cybersecurity regulations. It was the first such charge the regulator had levied and and the initial one nationally. Without doubt more would follow and this past March DFS said that mortgage lender Residential Mortgage Services had agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulations.