The New York Department of Financial Services (NYDFS) has proposed amendments to strengthen their cybersecurity requirements. This is not surprising given the current state of cyber threats, most notably ransomware, as threats continue to morph and increase their devastating impact to private and public organizations.
The proposed amendments consist of many notable additions and extensions to the existing cybersecurity requirements including business continuity, audits, vulnerability assessments, access controls and privileged users. While this guidance targets ‘Class A’ financial services companies, those with 2000+ employees or $1B+ revenue, the proposed amendments provide insight for all organizations for emerging best practices to battle modern cyber threats.
I prefer to group the changes into simple categories to understand this type of regulatory compliance. In reviewing the requirements, you can generally segment the proposed amendments into three categories: preventative, recovery, and attestation. We can define these categories as follows:
- Preventative as those related to security controls, vulnerabilities.
- Recovery as those related to business continuity and disaster recovery.
- Attestations being the periodic audits and certifications enumerated in the recommendations.
For the purposes of this article, we will quickly review preventative recommendations and then dive deeper into recovery recommendations; we will leave the attestation/audit discussion to GRC professionals.
Ransomware prevention and recovery
The amendments raise the bar significantly for both preventative and recovery practices and controls. On the preventative side, Zero Trust principles are clearly seen with requirements for stronger passwords, MFA, user monitoring, privileged account control, security awareness training and phishing simulations, and frequent vulnerability scanning. These controls provide the safeguards that will thwart MOST cyber threats. But patient and calculating threat actors continually morph their tactics and deceptions, and with enough focus and effort, they will crack even the best defenses.
So as one would expect, the proposed NYDFS cybersecurity requirements also focus on recovery. Here the proposed amendments include guidelines for backup data and business continuity. For backup data, organizations are required to have backup systems and procedures, practice their ability to recover, and maintain a copy of backup data that is isolated from network connections. Related and slightly overlapping are the requirements for business continuity which include proactive recovery measures to minimize disruptive events, procedures for the maintenance of backup systems, and the backup of data that is critical to operations.
These proposed requirements provide a minimal level of prescriptive guidance for organizations to recover in the case of a disruptive incident.
Hardened and at scale recovery is needed
These recovery requirements can be significantly strengthened with the following considerations:
- For backup data, having the plans and procedures is a fundamental first step. But with modern threats, more is needed to ensure the reliability of the backup copies and the ability to recover critical functions of the organization immediately. Backup data is a target for ransomware and potentially other malicious activity. This requires a resilient backup system that has immutability, strong access controls to prevent tampering of platform settings, and the monitoring of backup data and users for indicators of anomalous changes in data or user behavior. Without extremely strong safeguards, backup data may be altered or destroyed, rendering it useless to the organization. Finally, most organizations have little tolerance for extended downtime. It is critical to cyber resilience that virtual machines and critical files are brought online as rapidly as possible. This minimizes the risk and impact of an incident.
- To isolate backup data from network connections, tape backup was the standard. But as mentioned above, organizations need to get critical systems and data up as soon as possible. The inherent physical delays of moving and loading tape create overhead in recovery that most organizations cannot tolerate. A new data isolation technique is now the choice to replace or supplement tape backups. Back up to cloud, via temporary and highly secured connections, provides the balance of isolation and data availability to support modern cyber-resilience requirements and SLAs. Flexible options exist, from DYI, to fully managed SaaS offerings that allow organizations to point, click, and isolate backup data. And with cloud isolation, the data is naturally removed from the primary IT infrastructure; in worse case scenarios the physical isolation may be the key to the data’s survival.
So why the deep dive on recovery here? This goes to the escalation of tactics by threat actors. Once confined to cyber vandalism, then moving to cyber theft, the game for backup and recovery changed when it became the target of cyber destruction. With backup copies destroyed, organizations are simply helpless if threat actors gain control of their production data—game over. They ask for millions of dollars to release their data and most organizations simply pay as they have no other option. But paying the ransom does not mean that the organization can recover all its data. In a recent survey by ESG Research “The Long Road to Ransomware Preparedness”, only 14% of organizations who pay the ransom get 90% or more of their data back.
Most organizations pour millions into preventative controls and solutions every year, but recovery solutions have lagged. In another survey by Cohesity, many organizations reported that their backup and recovery solution was antiquated and did not provide the necessary security, detection, and recovery needed to counter modern cyber threats.
How to respond: Protect, detect and recover. Refuse to pay the ransom.
It is urgent and important for organizations to implement recovery solutions to reduce the risk and impact of ransomware attacks and other malicious actions.
First, protect the backups. Ensure the backup data is immutable, encrypted, and fault tolerant. Backup data must be reliable to ensure organizations will effectively return key processes and data to operations. And protect the backup platform; apply Zero Trust principles to control who can access data in the platform and/or change backup schedules and retention settings.
Second, monitor backup data and users. As production data is ingested for routine backups, AI/ML can spot unusual changes in data. Anomalies in data can indicate an emerging ransomware attack and many organizations stop ransomware in its tracks by monitoring for anomalies. Also, watch user access activity, especially for files and objects. Changes in access patterns, volumes, and time may indicate that data exfiltration is occurring as part of a double extortion attack. And link the anomaly detection to existing security controls and operations so that security analysts can determine if the anomaly is actionable and alert incident response teams.
Third, ensure the recovery solution can recover at scale. As noted above, organizations today have non-stop operating requirements to meet customer, supply-chain, and other SLAs. In a CISO panel on ransomware at Cohesity’s ReConnect Virtual Summit, CISOs stated that 24 hours is the new recovery standard. After 24 hours, the organization can suffer revenue loss, customer churn, and other issues that could jeopardize their goals and commitments. Organizations need to recover VMs at scale, thousands per hour, so that critical processes can resume. And their access to critical files and objects, especially true in the financial services and healthcare industries. Finally, the recovery needs to be reliable. Organizations need confidence that the data they are restoring has integrity and accuracy.
The proposed amendments for the NYDFS cybersecurity requirements will have an immediate impact on the preventative, recovery, and attestation efforts in large financial services organizations. The legislation could certainly change as it goes through the approval process, but the modern needs for recovery outlined in this blog will most likely persist.