December 8, 2022

Volume XII, Number 342


December 08, 2022

Subscribe to Latest Legal News and Analysis

December 07, 2022

Subscribe to Latest Legal News and Analysis

December 06, 2022

Subscribe to Latest Legal News and Analysis

NYDFS Issues Ransomware Guidance

The New York State Department of Financial Services recently announced new guidance addressing ransomware attacks, and highlighting cybersecurity measures to significantly reduce the risk of an attack.  The guidance comes as ransomware rates have been increasing, and builds on the post SolarWinds guidance from NYDFS about supply chain management. It was released just prior to the most recent large attack, namely the July 2nd supply-chain ransomware attack centered on the U.S. information technology firm Kaseya.

The guidance was generated from reports to NYDFS of 74 ransomware attacks from NYDFS-regulated companies between January 2020 and May 2021 which it said followed a similar pattern: “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.”  NYDFS – in step with the FBI – recommends against paying ransoms because such payments (i) may violate the Treasury’s OFAC sanctions, (ii) do not guarantee that the company will regain access to all its data, or that the company’s data will not be leaked later anyway, and (iii) will likely not prevent subsequent attacks. Instead, in the guidance NYDFS urged all regulated entities to implement the following multi-layered approach to cybersecurity:

  • Train employees about email filtering and anti-phishing;

  • Implement a vulnerability and patch management program;

  • Use multi-factor authentication;

  • Disable RDP access from the internet wherever possible;

  • Use strong, unique passwords;

  • Employ privileged access management so that each user has the minimum level of access necessary to perform the job;

  • Monitor systems for intruders;

  • Segregate and test backups; and

  • Include a ransomware-specific incident response plan that is tested.

Putting it Into Practice:  This guidance is a reminder that while supply-chain cybersecurity threats have been gaining headlines, cyberattacks can and do just still occur as a result of phishing attacks, human error, and failures in controls.  Teaching employees about good cyber hygiene helps to mitigate the risk that employees will fall prey to sophisticated phishing or socially-engineered fake emails. Companies should couple their employee cybersecurity training with the implementation of a robust cybersecurity program that utilizes diversified security measures and tests controls to ensure system endpoints are protected from threats. 

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 193

About this Author

A.J. S. Dhaliwal Bankruptcy Attorney Sheppard Mullin Washington DC

A.J. is an associate in the Finance and Bankruptcy Practice Group in the firm's Washington, D.C. office. 

A.J. has over a decade of experience helping banks, non-bank financial institutions, and other companies providing financial products and services in a wide range of matters including government enforcement actions, civil litigation, regulatory examinations, and internal investigations.

With a diversified regulatory, compliance, and enforcement background, A.J. counsels financial institutions in matters involving...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...