US - NYDFS Issues Ransomware Guidance: What’s a Lawyer to Do?
On June 30, 2021, the New York Department of Financial Services joined in the fight against ransomware by delivering guidance to assist companies in preparing and responding to ransomware (the “DFS Guidance”).
More than regulatory oversight
If you’re looking at this as just more regulatory oversight, you’re missing the mark. The guidance provided by the Department is consistent with the guidance provided earlier in June by the White House. We are fortunate to have Justin Herring leading NYDFS’s Cybersecurity division and Anne Neuberger serving as Deputy National Security Advisor for Cyber, because their guidance makes it clear that they are fighting to help companies and consumers stay secure. The recommendations represent critical table-stakes of technical and operational controls.
But what’s the legal department’s role when it comes to technical controls issued by DFS? Lawyers don’t implement multi factor authentication and patch management programs. Instead, the lawyer’s role is threefold: understand the DFS Guidance and map it to existing controls (with risk assessments); run tabletop exercises for the C-Suite; and work with the technical teams to report incidents.
The tabletop exercises cannot be overstated in light of the following comment by DFS:
“[D]ecision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident.”
It would be a regrettable (and preventable) mistake to report a ransomware attack to NYDFS without also being able to say that the CEO has participated in a tabletop exercise. The company’s response story to regulators starts with describing that day in which the C-Suite sat through a 2-4 hour exercise and walked through an incident.
The Required Controls
The Department has identified three main attack vectors that ransomware operators are using: (1) phishing; (2) exploiting unpatched vulnerabilities; and (3) exploiting “poorly secured Remote Desktop Protocols.” The DFS Guidance is therefore rooted in stopping these three vectors through a series of controls:
- Email Filtering and Anti-Phishing Training: Hackers continue to exploit the weak link as an entry point into companies: People. And the easiest way to exploit people is by email. Companies need to ensure they are complying with the training required by 23 NYCRR § 500.14(b) and the email filtering required by 23 NYCRR § 500.3(h).
- Vulnerability and Patch Management: Hackers have always looked to exploit system vulnerabilities, but in the past 18 months this has been a recurrent and louder theme in ransomware attacks. Nonetheless, many companies take months if not years to implement patches that are well documented. The Department cites both the need for a vulnerability patch management program and the need for penetration testing. 23 NYCRR § 500.03(g) & 23 NYCRR § 500.05(b).
- Multi-Factor Authentication (“MFA”): MFA is not a cure-all, but it certainly makes it harder for hackers and has been high on the regulator cybersecurity checklist. Nonetheless, even companies that have implemented it often find that there were gaps in implementation. The Department was among the first to require it. 23 NYCRR § 500.12
- Disable Remote Desktop Protocol (“RDP”) Access: The Department recommends disabling RDP, citing to 23 NYCRR § 500.03(g). That provision is about ensuring a risk assessment that covers system and network security. Perhaps a stretch to conclude the Cybersecurity Rule covers RDP, but the point is well taken: hackers have exploited RDP and extra security should be implemented when using it.
- Password Management: Simple and easy to guess passwords are just that. Companies need to ensure more complex passwords are used. The Department now recommends 16-character passwords for privileged accounts and special storage of critical passwords (password vaulting). The Department also recommends turning off password caching by systems.
- Privileged Access Management: Once hackers get into a system, they seek god-like access. And the easiest way to do that is by gaining access to a privileged account. The Department notes the requirement to implement least privileged access. 23 NYCRR § 500.07.
- Monitoring and Response: Even if all the right things are done, companies need to look for anomalous activity and stop it. Endpoint Detection and Response (“EDR”) attempts to do just that. Years ago, it was a sophisticated tool used by only by the most sophisticated companies. Now everyone needs it.
- Tested and Segregated Backups: Companies need to maintain backups, and they need to keep them segregated from the network so that the backups remain accessible even in the wake of an attack. This is the only real hope companies have of not paying a ransom in the event of a ransomware attack.
- Incident Response Plan: Every company should have an incident response plan. But the language in the order makes it clear that the Department realize the plan isn’t worth the paper it is printed on unless it is tested by the C-Suite.
The Lawyer’s Role
Mapping regulatory guidance to the implemented technical controls: In today’s cyber world, it isn’t enough to show the Chief Information Security Officer the latest guidance and sit back and wait for questions. When the Department conducts a cybersecurity examination or, worse, performs an investigation after an incident, the Department expects to understand how the company’s technical controls line up with the regulations. In house counsel should know the answer.
On May 18, 2021, the Department announced that First Unum Life Insurance Company of America and Paul Revere Life Insurance Company agreed to pay $1.8 million in fines relating to data breaches. Part of the findings included that First Unum certified compliance with the Cybersecurity Rule despite not actually being in compliance across the board. This should serve as a reminder to in-house legal and compliance teams to work with the information security teams to understand just how each requirement is implemented across the board. A risk assessment, including one led by a qualified outside technical firm and overseen by counsel is helpful to ensure such compliance.
Tabletop exercises: The Department’s strong statement that “decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident” is worth repeating. Many companies now test their incident response plans through tabletop exercises. But all too often the CEO is left out of the exercise. The CIO or the CISO are often the only C-Suite members involved, and the exercise is often facilitated by technical consultant. For sure, such exercises are very valuable. But the CIO or CISO are likely not the ones making the call on paying a ransom, making board notification, talking to the press, informing third parties, or contacting law enforcement. Each of these is likely going to require other members of the C-Suite, including the CEO. And each of these is likely going through legal counsel for input, not to mention questions of preparation for litigation and privilege. Consequently, it is precisely that in-house counsel that is in the driver’s seat to put together a tabletop exercise and sit with the C-Suite for a 2 to 4 hour session. Your C-Suite may not like the idea before the exercise, but from our experience they’ll thank you after and ask for a refresher in short order.
Reporting Incidents: The Department has explained that ransomware incidents must be reported under the Cybersecurity Rule. Counsel should have a clear understanding of the incident as the initial report is made within 72 hours, and maintain an ongoing understanding as the incident develops. These reports are often the genesis of further investigation by the Department and demonstrating clear and convincing command of the facts helps assure the Department that your company knows how to respond to an incident.
The Department’s ransomware guidance should be a good refresher of steps companies should be taking to prevent and prepare for a cyber incident.