DFS Continues Focus on Cybersecurity: Issues Ransomware Guidance and Signals Increased Enforcement Actions
Here is what financial institutions need to know in light of these developments:
- On June 30, 2021, DFS, reporting a 300% increase in ransomware attacks in 2020 and recognizing that “ransomware attacks continue to surge … [and are] jeopardizing the stability of the financial services industry,” issued new ransomware guidance stressing “key cybersecurity measures to reduce [the] risk of ransomware attacks.” The measures, many of which overlap with guidance issued by the White House in June (and reported by us here), included employee training, vulnerability and patch management, password policies, multifactor authentication, access limitations, system monitoring, backup systems, and tested incident response plans.
- DFS has made probing entities’ compliance with Part 500’s cybersecurity requirements a standard part of routine examinations, requesting evidence of practices such as risk assessments, third-party service provider oversight, and general cybersecurity governance.
- DFS has brought multiple enforcement actions against entities as a result of these examinations, including those that allegedly failed to report cybersecurity events within 72 hours or to implement multifactor authentication. Fines have cost these companies millions of dollars, as well as the cost of independent consultants to audit and oversee their compliance programs, which is often required as part of resolving the enforcement actions.
Failing to comply with Part 500 can expose the company and its leadership to hefty fines and costly class action litigation. For example, New York Banking Law penalizes “unsafe or unsound” cybersecurity practices at up to $250,000 per day, and life insurance companies are subject to penalties of up to $1,000 per violation of Part 500. Lastly, the board or senior official providing Part 500’s required annual certification of their entity’s compliance with Part 500, if their statement is incorrect and intentionally made, may be charged with a Class A misdemeanor.
Given the above, financial institutions should reexamine their compliance with Part 500’s cybersecurity requirements and ensure they can promptly demonstrate their compliance to regulators. Not only does this work mitigate compliance risk, but implementing these measures should also reduce the organization’s risk of an attack in the first place.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.