Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

NYDFS issues ransomware guidance

Agency Rule-Making & Guidance NYDFS Ransomware Privacy/Cyber Risk & Data Security State Issues State Regulators Bank Regulatory

Agency Rule-Making & Guidance

On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”