NYDFS issues ransomware preparedness guidance

On 4 February 2021 the New York State Department of Financial Services (NYDFS) published an Industry Letter detailing ransomware risk management expectations for banks, insurers, and virtual currency firms. NYDFS highlighted common intrusion vectors, required multifactor authentication and privileged access controls, urged firms to rehearse incident playbooks, and reminded licensees of 72-hour reporting obligations under 23 NYCRR 500.

Common Attack Vectors

The guidance identifies prevalent ransomware intrusion methods requiring defensive attention: phishing emails delivering malicious attachments or links; exploitation of unpatched vulnerabilities in internet-facing systems; compromised remote access credentials, particularly where single-factor authentication remains in use; and supply chain compromises through managed service providers or software vendors.

NYDFS notes that attackers now exfiltrate data before encryption, enabling double extortion threats that persist even when victims restore from backups. This evolution fundamentally changes incident economics, as attackers maintain use through threatened data publication even when technical recovery succeeds.

Required Controls

The letter reinforces existing 23 NYCRR 500 requirements with ransomware-specific emphasis. Multifactor authentication must cover all remote access, privileged user access, and access to nonpublic information repositories. Privileged access management requires limiting administrative permissions, monitoring privileged sessions, and implementing just-in-time access where feasible.

Backup segmentation protections must prevent ransomware from encrypting backup repositories alongside production systems. Air-gapped or immutable backup solutions provide restoration capability even when attackers achieve broad network access. If you are affected, implement the 3-2-1 backup strategy: three copies on two different media types with one offsite or air-gapped. Immutable backups using WORM storage technology prevent encryption of backup data during active attacks.

Network segmentation requirements call for limiting lateral movement opportunities through zero-trust architectures and microsegmentation. Critical systems hosting nonpublic information should reside in isolated network segments with restrictive traffic policies.

Incident Response Requirements

Compliance leaders should validate incident runbooks align with DFS 72-hour notification requirements for cybersecurity events. Response plans must address ransomware scenarios specifically, including decision frameworks for payment considerations, law enforcement coordination, and customer notification triggers. Regular tabletop exercises testing ransomware playbooks show preparedness and identify capability gaps before incidents occur.

Communication procedures should establish clear escalation paths and designate decision authority for containment actions that may disrupt business operations. Pre-negotiated retainer agreements with forensic vendors and legal counsel accelerate response when incidents occur.

Training and Awareness

Employee awareness training remains essential for phishing-resistant organizations. NYDFS expects training programs to address ransomware-specific scenarios including social engineering tactics, suspicious email recognition, and internal reporting procedures. Simulated phishing exercises test awareness program effectiveness and identify users requiring additional training.

Privileged user training should cover ransomware escalation techniques that exploit administrative credentials, emphasizing credential hygiene and session monitoring responsibilities.

Vendor Risk Management

Supply chain attacks through managed service providers represent a growing vector. Organizations must assess vendor ransomware preparedness through due diligence questionnaires addressing backup procedures, incident response capabilities, and security control setups. Contract provisions should require vendor notification of cybersecurity events affecting the organization's data or systems.

Board and Executive Engagement

NYDFS expects board involvement in ransomware preparedness oversight. Boards should receive regular briefings on ransomware threats, control setups, and incident response capabilities. Executive leadership must understand ransomware business impacts and support resource allocation for prevention and response programs.

More on this topic

Further reading from our research library.

Compliance · Credibility 91/100 · January 1, 2024

Osfi Guideline B13 Effective

OSFI Guideline B-13 on technology and cyber risk management became effective in 2024. Canadian federal financial institutions need documented frameworks for technology governance, cyber risk management, and third-party…

Compliance · Credibility 86/100 · November 1, 2024

NYDFS cybersecurity regulation

November 1, 2024 is the hard deadline for NYDFS cybersecurity compliance. MFA on privileged accounts, EDR deployment, and independent audits—if you do not have these done, you are officially out of time. Enforcement is…

Compliance · Credibility 86/100 · October 20, 2025

Compliance — Cybersecurity regulation

New York DFS cybersecurity amendments hit their final compliance deadline on 27 October 2025, requiring covered entities to evidence improved third-party risk governance, asset inventories, and incident notification…

Compliance · Credibility 96/100 · February 23, 2026

DORA Six-Month Review — Financial Institutions Report 847 Major ICT Incidents as Operational Resilience Testing Reveals Third-Party Concentration Risk

Six months after the Digital Operational Resilience Act went into effect across EU financial institutions, supervisory authorities report 847 major ICT incidents classified under Article 19 reporting obligations, with…

Compliance · Credibility 91/100 · February 25, 2021

India Issues Intermediary and Digital Media Rules

India’s 2021 Intermediary Guidelines and Digital Media Ethics Code impose traceability, rapid takedown SLAs, resident compliance officers, grievance escalation, and content-classification controls on social platforms…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

February 4, 2021

Coverage pillar

Compliance

Source credibility

73/100 — medium confidence

Topics

ransomware · multifactor authentication · financial regulation · incident response

Sources cited

3 sources (dfs.ny.gov, cvedetails.com, iso.org)

Reading time

6 min

Source material

1. Ransomware Guidance — dfs.ny.gov
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization