Warning of the danger of ransomware attacks, the New York State Department of Financial Services (DFS) has instructed the companies it regulates to put controls in place. DFS regulates the insurance industry, including agents and brokers, in New York.
In a June 30 letter
, the department said ransomware attacks are increasing. DFS-regulated companies reported an average of one ransomware attack a week between January 2020 and May 2021. Although the federal government and DFS discourage paying ransoms, 17 companies did so. The attacks are driving up costs, impacting cyber insurance premiums and coverage scope.
According to the letter, ransomware attacks follow a consistent pattern. Hackers enter a victim’s network using one of three techniques:
- Exploiting unpatched network vulnerabilities
- Exploiting poorly secured “remote desktop protocols” (RDP.) RDP enables remote control of computers.
Once in, hackers swipe encrypted passwords for administrator (also known as “privileged user”) accounts. They break the encryption using password-cracking software. From there, they install ransomware, work around security controls, and target backup records.
DFS said it expects regulated companies to implement these ransomware prevention controls wherever possible:
- Email filtering and anti-phishing training
- Vulnerability/patch management
- Multi-factor authentication
- Disabling RDP access for most users
- Password management, particularly for administrators
- Restricting privileged user access as much as possible
- Monitoring and response
- Testing and segregating backups
- Preparing an incident response plan
The department acknowledged the burden this guidance places on small insurance agencies and brokerages. They argued that there is little choice. “We recognize that implementing some controls is more challenging for small businesses,” the letter said, “but failing to do so may ultimately result in greater losses as small businesses are frequently targets for ransomware and other cybercrimes precisely because they are often more vulnerable.” The U.S. secretary of homeland security recently claimed that 50% to 75% of ransomware attacks
target small businesses.