The NYDFS announced new guidance that it recommends regulated financial entities implement to reduce the risk of ransomware attacks. The guidance is in response to a significant increase of ransomware attacks reported by regulated entities to the NYDFS since January 2020. According to the NYDFS, ransomware attacks increased by 300% in 2020. 

Specifically, the NYDFS recommends that entities implement seven measures to manage the risk of ransomware attacks:

1. Train employees on cybersecurity awareness and anti-phishing and conduct periodic phishing exercises; 
2. Implement a vulnerability and patch management program that includes periodic penetration testing, timely application of security patches, and automatic updates;
3. Use multi-factor authentication ("MFA") for remote access to the network and all externally exposed enterprise and third-party applications;
4. Disable remote desktop access wherever possible, and if deemed necessary, use MFA and strong passwords where remote access is needed from approved originating sources; 
5. Require strong, unique passwords of at least 16 characters. Larger entities should strongly consider a password vaulting privilege access management solution which requires employees to check out passwords; 
6. Implement privileged access management based on the principle of least privileged access; 
7. Monitor systems for intruders, respond to suspicious activity, and consider an Endpoint Detection and Response solution. Larger entities should implement lateral movement detection and a Security Information and Event Management solution.

In preparation for a ransomware attack the NYDFS recommends that entities test and maintain comprehensive, segregated, and offline backups to allow for recovery in case of a successful attack. The guidance also recommends that entities implement an incident response plan that explicitly addresses ransomware attacks, and that senior leadership test the plan.

Not surprisingly, the NYDFS recommends against paying a ransom. Because ransomware attacks can present significant risks to the confidentiality, integrity, and availability of regulated companies’ data, the NYDFS directs regulated companies to assume that a successful deployment of ransomware on their internal network should be reported to the NYDFS within 72 hours. Entities also should report intrusions in which hackers gain access to privileged accounts.