Training

Ransomware? Don’t Pay It, Says FBI

Federal Bureau of Investigation Seal FBI September 15, 2016 Ransomware Public Service Announcement

What should companies do when ransomware hits?  The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.

FBI Public Service Announcement

In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.

Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”

The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more. READ MORE

Financial Institutions Going First? New York Proposes Mandatory Minimum Cybersecurity Compliance Standards

Cybersecurity Standards Financial Services Institutions

Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions.  The regulations go final after a 45-day notice and public comment period.  At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date.  Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt..  In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.

READ MORE