Skip Ribbon Commands
Skip to main content
Jul 02
DFS Issues New Guidance on Ransomware Threat

ransomware-2430833_1920.jpgWarning of the danger of ransomware attacks, the New York State Department of Financial Services (DFS) has instructed the companies it regulates to put controls in place. DFS regulates the insurance industry, including agents and brokers, in New York.

In a June 30 letter, the department said ransomware attacks are increasing. DFS-regulated companies reported an average of one ransomware attack a week between January 2020 and May 2021. Although the federal government and DFS discourage paying ransoms, 17 companies did so. The attacks are driving up costs, impacting cyber insurance premiums and coverage scope.

According to the letter, ransomware attacks follow a consistent pattern. Hackers enter a victim’s network using one of three techniques:

  • ​Phishing
  • Exploiting unpatched network vulnerabilities
  • Exploiting poorly secured “remote desktop protocols” (RDP.) RDP enables remote control of computers. 

Once in, hackers swipe encrypted passwords for administrator (also known as “privileged user”) accounts. They break the encryption using password-cracking software. From there, they install ransomware, work around security controls, and target backup records.

DFS said it expects regulated companies to implement these ransomware prevention controls wherever possible:

  • Email filtering and anti-phishing training
  • Vulnerability/patch management
  • Multi-factor authentication
  • Disabling RDP access for most users
  • Password management, particularly for administrators
  • Restricting privileged user access as much as possible
  • Monitoring and response
  • Testing and segregating backups
  • Preparing an incident response plan

The department acknowledged the burden this guidance places on small insurance agencies and brokerages. They argued that there is little choice. “We recognize that implementing some controls is more challenging for small businesses,” the letter said, “but failing to do so may ultimately result in greater losses as small businesses are frequently targets for ransomware and other cybercrimes precisely because they are often more vulnerable.” The U.S. secretary of homeland security recently claimed that 50% to 75% of ransomware attacks target small businesses. 

DFS has partnered with the Global Cyber Alliance to promote a Cybersecurity Toolkit for Small Business. The letter also linked to small business resources from the federal Cybersecurity and Infrastructure Security Agency.

DFS said it is considering unspecified changes to its Cybersecurity Requirements For Financial Services Companies regulation.

Visit for resources on complying with the regulation. On July 13, Big I NY is hosting a free webinar for members titled 5 Cyber Security Protections EVERY Agency Needs NOW.  Walter Contreras of network security consulting firm Motiva ​will be the presenter. We encourage as many of you as possible to attend.


There are no comments for this post.

 ‭(Hidden)‬ Blog Tools