May 16, 2017


"The Department of Financial Services has been following the developments surrounding the WannaCry ransomware attack and its significant impact around the globe. While news reports indicate that financial institutions were not impacted by this cyber attack, this event illustrates the critical need for robust cybersecurity protections, regulatory minimum standards, and for institutions of all kinds to be ever vigilant against cybersecurity risks in order to protect data and information systems.

DFS's cybersecurity regulation, which became effective on March 1, 2017, addresses what has been identified as the main cause of the spread of the ransomware event. DFS's cybersecurity regulation requires, among other protective measures, the identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

The DFS cybersecurity regulation is designed to help prevent and mitigate the issues triggered by WannaCry by requiring bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities.

The WannaCry attack is a clear reminder that financial institutions need to be continually on guard and promptly implement robust cybersecurity programs to protect not only their customer data but also the integrity of their own technology and information systems."