New York’s New Guidance on Preventing Ransomware

Written by: Brett Lawrence, Esq.

On June 30, 2021, the New York Department of Financial Services (“DFS”) issued new guidance on ransomware prevention. Noting the increase in ransomware attacks and increases in the cost of cybercrime, DFS issued nine (9) specific security controls that every business should implement to remove common weaknesses exploited by ransomware criminals.

1. 1. Email Filtering and Anti-Phishing Training

Training on how to spot, avoid, and report phishing attempts. Businesses should also conduct periodic phishing exercises and test whether employees will click on fake attachments and links within fake emails.

Email filtering should block spam and other malicious messages from reaching end users.

1. 2. Vulnerability/Patch Management

Implement a policy to identify, assess, track, and remediate vulnerabilities on all of the business’s assets within its network. This includes periodic penetration testing and the timely application of patching security vulnerabilities and updates. If possible, automatic updates are preferred.

1. 3. Multi-Factor Authentication (“MFA”)

MFA protects a business’s user account from hackers trying to obtain access to its network. All logins to the business’s network and any privileged accounts should have MFA implemented.

1. 4. Disable Remote Desktop Protocol (“RDP”) Access

If RDP is deemed necessary, RDP access should have MFA, be restricted to only approved sources, and require a strong password.

1. 5. Password Management

Businesses should require strong and unique password requirements of at least 16 characters, prohibit commonly used passwords, and prevent password caching.

1. 6. Privileged Access Management

Policy that each user or service account should be given the minimum level of access necessary to perform a specific job.

1. 7. Monitoring and Response

Implement an Endpoint Detection and Response (“EDR”) solution. An EDR solution monitors a business’s network for intruders and respond to alerts of suspicious activity. Larger businesses should have a Security Information and Event Management (“SIEM”) solution that centralizes losing and security event alerting.

1. 8. Tested and Segregated Backups

Maintain separate backups that will allow recovery in the event of a ransomware attack. Having a backup will allow a business to recover any potentially unrecoverable or altered data.

1. 9. Incident Response Plan

A plan that explicitly addresses the procedure in the wake of a ransomware attack. The plan should be tested to ensure the business understands the protocol beforehand.