NYDFS Issues Guidance On Cybersecurity Controls To Combat Ransomware And Clarifies Reporting Obligations – Technology

The New York Department of Financial Services (NYDFS) issued new
guidance this week intended to assist
organizations in thwarting ransomware attacks. The guidance
clarifies the NYDFS' expectation that NYDFS-regulated companies
should "implement these controls whenever possible" and
report any successful deployment of ransomware or unauthorized
access to privilege accounts to the NYDFS under its established
cybersecurity event reporting regulations. This guidance comes at
an inflection point for cybersecurity and ransomware, as "the
rate of ransomware attacks increased 300% in 2020," as
recently noted by Homeland Security Secretary Alejandro Mayorkas
and as NYDFS continues to focus on the silent and systemic risks
posed by ransomware to the financial services sector. In connection
with releasing its guidance, the NYDFS warned that ransomware
attacks "could cause the next great financial crisis" and
"lead to a loss of confidence in the financial system."
Below we outline the key takeaways from the latest NYDFS
guidance.

Nine Cybersecurity Controls

Given these risks, the NYDFS issued prescriptive guidance under
its Cybersecurity Regulation, urging every NYDFS-regulated company,
no matter the size or complexity, to implement the below nine
cybersecurity controls, wherever possible. In its guidance, the
NYDFS tied each of the controls to pre-existing regulatory
requirements within 23 NYCRR Part 500.

1. Email Filtering and Anti-Phishing Training.
The guidance interprets the requirements to implement and maintain
a written cybersecurity policy including addressing the regulated
entity's "systems and network monitoring" per 23
NYCRR § 500.3(h) to include email filtering "to block
spam and malicious attachments/links from reaching users."
Furthermore, companies should include recurring phishing training
and periodic phishing exercises/tests as a part of their regular
cybersecurity awareness training per 23 NYCRR § 500.14(b).

2. Vulnerability/Patch Management. The guidance
makes it clear that the obligation to maintain a written
cybersecurity policy should include a "documented program to
identify, assess, track, and remediate vulnerabilities on
enterprise assets within their infrastructure." (23 NYCRR
§ 500.03(g)). The NYDFS recommends that regulated companies
enable automatic updates to minimize vulnerabilities and manual
patch management. The vulnerability and patch management policy
requires periodic penetration testing under 23 NYCRR
§ 500.5(a). Because the current regulation requires
annual rather than periodic penetration testing,
this may be one area where NYDFS is considering revising its
regulation in the near future to require bi-annual penetration
testing, similar to the more standards under PCI-DSS.

3. Multi-Factor Authentication
("MFA"). The guidance emphasizes the
effectiveness of MFA from preventing hackers from accessing the
regulated entity's network and reiterates the requirement of
MFA for remote access. (23 NYCRR § 500.12(b)). Although the
regulation itself contains an exception to MFA implementation,
consistent with recent remarks by senior NYDFS Cybersecurity
personnel that suggested that acceptable exceptions to the MFA
requirement would be fairly limited in practice, the guidance does
not acknowledge or refer to the MFA exception in subsection
500.12(b).

4. Disable RDP Access. As a recommended
practice, regulated entities should disable RDP access unless it is
absolutely necessary.

5. Password Management. As a part of a
regulated entity's access controls and identity management
policy (23 NYCRR § 500.3(d)), the guidance suggests the use of
strong, unique passwords (neither "strong" nor
"unique" are defined). With that said, the guidance does
provide more details on password strength regarding
"privileged user accounts", requiring "passwords of
at least 16 characters and [a] ban [on] commonly used
passwords." In addition, it recommended against caching
passwords and, particularly for large organizations, recommended
the implementation of a password vault for privileged user
accounts.

6. Privileged Access Management. The guidance
recommends that regulated entities provide privileged user accounts
to the absolute minimum number of users (23 NYCRR §§
501.3(d) and 500.7) and implement strong passwords (see #5 above)
and MFA (see #3 above) on such accounts.

7. Monitoring and Response. In addition to
implementing email filtering as a part of a regulated entity's
written cybersecurity policy (see #1 above), the NYDFS guidance
states that per 23 NYCRR § 500.3(h), regulated entities
"must have a way to monitor their systems for intruders and
respond to alerts of suspicious activity," such as utilizing
an Endpoint Detection and Response solution and, specifically for
larger more complex organizations, a Security Information and Event
Management tool.

8. Tested and Segregated Backups. In
preparation for a ransomware attack, regulated companies should
ensure their systems are backed up and that such backups are
segregated from the network and offline (23 NYCRR §§
500.3(e), (f), and (n)). It is critical that these backups are
segregated from the network and offline (and the backups are
tested), as the hackers almost always try to disable backups, as a
means of incentivizing ransom payments.

9. Incident Response Plan. The guidance
stipulates that the written incident response plan, as required by
23 NYCRR § 500.16, should explicitly address
ransomware attacks and such plan should be tested in advance of any
incident (i.e., tabletop exercises).

Reporting Obligations

Under the existing language of the NYDFS Cybersecurity
Regulation, regulated entities must report cybersecurity events
that have a "reasonable likelihood of materially harming any
material part of the normal operation(s) of the covered
entity" to the NYDFS within 72 hours (23 NYCRR §
500.17(b)). According to the NYDFS, regulated entities should
report (1) any successful deployment of ransomware on their
internal network and/or (2) "any intrusion where hackers gain
access to privileged accounts" to the NYDFS "as promptly
as possible and within 72 hours at the latest." So although
the NYDFS has not introduced a new explicit reporting requirement,
which presumably would be subject to the formal notice and comment
period, the NYDFS has signaled that such formal revisions may be
forthcoming with respect to both reporting and other technical
compliance aspects of the regulation.

In the interim, this guidance to report such cybersecurity
incidents within the pre-existing reporting deadline is consistent
with other regulators' recent requests for licensees to report
ransomware, such as the Massachusetts Division of Banks. Further,
because this guidance represents the NYDFS' interpretation of
its cybersecurity requirements and reasonable security as applied
to ransomware prevention, the guidance could serve as a potential
roadmap in the examination, investigation, and enforcement
contexts. Accordingly, regulated entities may wish to evaluate the
effectiveness of their information security programs, specifically
the nine cybersecurity controls set forth in the guidance and their
reporting capabilities. Should a regulated entity determine that
any of these controls may be infeasible to implement and maintain,
such entity may choose to document the infeasibility.

Finally, in an effort to boost cybersecurity controls, the NYDFS
has partnered with the Global Cyber Alliance (GCA) to promote GCA's Cybersecurity Toolkit for Small
Business and provides a link to the federal Cybersecurity and Infrastructure Security
Agency resource, which may be a particularly helpful resource
for small and medium sized businesses.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.