Categories
Compliance

NY DFS Cyber Regulation Proposed Amendments Target Ransomware Notification

On July 29th, 2022, The New York State Department of Financial Services (NY DFS) published pre-proposal amendments to their landmark Cybersecurity Regulation, 23 NYCRR 500. The “DFS Cyber reg” as it’s often referred to was a first-in-the-nation when it was published in 2017 and has since been a model that’s been used in countless other regulations. The proposed amendments are clearly designed to do the same, made evident by the fact that nearly every section has new or amended requirements.

In this blog post we’re going to describe one of the most significant proposed amendments to the reg. That is, the NEW requirements related to ransomware, extortion and the reporting of those cybersecurity events.

Notice of Ransomware Event

The proposed amendments to Section 500.17 would incorporate two new definitions of a cybersecurity event, one of which specifically addresses ransomware. Should any of the events described in this section occur, electronic notification to the superintendent, within 72 hours, is required.

  • 500.17 (a)(4) – cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity‚Äôs information system.

Under the current rule, reporting cases of ransomware would be required if: there is a required notice to a government body, self-regulatory agency or any other supervisory body or if there was a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.

Notice & Description of Extortion Payment

The proposed amendments to Section 500.17 would also incorporate a requirement to notify the superintendent of extortion payment, within 24 hours of the payment. A written description sent to the superintendent would also be required within 30 days. This written description would have to include:

  • A written description of the reasons payment was necessary

  • A description of alternatives to payment considered

  • All diligence performed to find alternatives to payment

  • All diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control

Plans are nothing Planning is Everything

There’s no doubt that if these amendments were to pass it would impose significant new requirements on covered entities cybersecurity event reporting policies and procedures. If your Incident Response plan does not specifically address the companies policies and procedures for responding to and reporting ransomware events, then it would be worthwhile to begin that process now. With the impact ransomware has had the last several years, there’s little doubt that some form of ransomware notification will make it to the final regulation. The time to prepare is now.

Categories
Computer & Network Security

7 Questions to Ask Before Deciding Whether to Pay a Ransomware Attacker

Intro

  • Ransomware is on the rise, owing to the pandemic. In 2020, ransomware exceeded $1.4 billion in the US alone, according to an estimate from Emsisoft.
  • Definition: When threat actors prevent a company from accessing their systems, network, or data until a demand is met.

7 Questions to Ask Before Deciding Whether To Pay a Ransomware Attacker

  • 1. & 2. Do You Have a Backup? Will it Work?
    • Today’s ransomware groups take backups into account. Even if you have backed up your critical files, it’s important to know the capabilities and functionality of your restoration services. If a threat actor has access to your backups, there is a good chance they will attempt to encrypt or even delete them. If you haven’t done so before and haven’t deeply investigated your capabilities, you won’t know how lengthy or difficult such a restore could be. You may also not understand whether there are backdoors in your restores or whether attackers have accessed any online backups.
  • 3. How Much Will the Ransom Really Cost You?
    • Many organizations wind up making the calculus that making the ransom payment is cheaper than losing data and/or business continuity. How badly does your company need the impacted system or the data stored on that system? if the machine is integral to business operation? There is also a cost to public perception and reputation. Paying ransoms may cast your organization in a negative light.
  • 4. Do I Call Law Enforcement?
    • Statistically speaking, law enforcement faces a low chance of catching ransomware groups. They also may not have the capacity to crack encryption or obtain decryption keys. However, that doesn’t mean there’s no utility to the act. One may reach out to law enforcement because it may be more likely the perpetrator will be caught, for the possibility that technical assistance from law enforcement may help, or because it helps show regulators and the public that you took all reasonable actions. It may also fulfil a requirement in cyber insurance coverage.
  • 5. Have You Considered the Risk of the Ransom Being Reneged?
    • Threat actors must maintain credibility in their claim that receiving the ransom payment will restore the victim’s systems. For the most part, that’s been the case, but further deception has occurred on more than a few occasions (Such as demanding another payment). Given that possibility, it’s in your interest to speak with ransomware experts about how your particular group has handled ransom payments.
  • 6. Have You Considered Law Enforcement Guidance?
    • Anyone who’s seen an action movie knows that the US doesn’t negotiate with terrorists. Perhaps surprisingly, the FBI doesn’t require or encourage not paying a ransom under any circumstances. What do they say?
      • “Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”
  • 7. Can You Forstall The Attack on Your Own
    • Ransomware attackers use many of the same methods as typical attackers. It’s possible that there’s guidance out there that could help you resolve the hack on your own. 
      • The “no more ransom” project, a collaboration between European law enforcement and cybersecurity companies Kaspersky Lab and McAfee, offers decryption tools for more than 85 ransomware varieties.

Conclusion

  • Deciding to pay a ransom or not is a difficult question to answer. Ultimately, it should be an informed and calculated decision based on due diligence and support from internal and external parties. However, if we want to do our part to try and curb ransomware attacks, we should design our systems and protect our organizations such that paying the ransom is left as a last resort.