Cybersecurity a Top Priority of DFS
Cybersecurity continues to be a top priority of the Department of Financial Services (“DFS”). Watch this space for revisions to the current cybersecurity regulation and continued enforcement actions for failure to have policies and procedures in place or for inappropriately filing a certificate of compliance. To keep up to date and utilize the tools available, be sure to check out DFS's Cybersecurity Resource Center, including its tools for small businesses.

Revisions to the Cybersecurity Regulation on the Horizon
DFS has advised that it is considering revising its Cybersecurity Regulation to address the evolution in cyber risk. Currently, the Cybersecurity Regulation mandates a handful of specific controls that were widely accepted as necessary minimum controls at the time, i.e., Multi-Factor Authentication. Now several years after its implementation, the Department is evaluating what additional controls should be added. The Department has indicated that it welcomes engagement with industry. We expect that a proposed regulation will be released by the end of the year.

From January 2020 through May 2021, DFS-regulated entities reported 74 ransomware attacks, of which 17 companies paid a ransom. DFS has also received a growing number of third-party Cybersecurity Events – where ransomware attacks against a critical vendor disrupt the operations of a regulated company. A DFS examination revealed that they follow a similar pattern: hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.

DFS and the FBI recommend against paying ransoms. Paying ransoms encourages and funds future ransomware attacks and may also risk violating OFAC sanctions. Experts have also reported that in many cases even when victims paid, companies have not been able to regain access to all of their data and their data was later leaked anyway.

DFS’s guidance urges all regulated entities to prepare for a ransomware attack by implementing measures such as:

     - Train employees in cybersecurity awareness and anti-phishing
     - Implement a vulnerability and patch management program
     - Use multi-factor authentication and strong passwords
     - Employ privileged access management to safeguard credentials for privileged accounts
     - Use monitoring and response to detect and contain intruders
     - Segregate and test backups to ensure that critical systems can be restored in the face of an attack
     - Have a ransomware specific incident response plan that is tested by senior leadership

DFS recognizes that implementing controls is more challenging for small businesses, but notes that failing to do so may ultimately result in greater losses as small businesses are frequently targets for ransomware and other cybercrimes precisely because they are often more vulnerable.

Regulated companies should report any successful deployment of ransomware on their internal network “as promptly as possible and within 72 hours at the latest.” Likewise, any intrusion where hackers gain access to privileged accounts should be reported. DFS is considering clarifying its reporting requirements by expressly requiring these types of incidents to be reported.

A copy of the guidance can be found here.