New York Department of Financial Services Released New Guidance Addressing COVID-19 Related Cybersecurity Risks

Peter Marta, Paul Otto, Tim Tobin
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

Continuing its focus on COVID-19’s impact on its regulated entities, on April 13, the New York Department of Financial Services (NYDFS) released new cybersecurity guidance in response to the COVID-19 pandemic. The guidance highlights the heightened cybersecurity risks from the current crisis and NYDFS’ expectations that its regulated entities address those risks as large portions of their workforce have shifted to remote working arrangements.

The new cybersecurity guidance provides recommendations for regulated entities to consider implementing to maintain robust compliance with the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The guidance is timely, as there have been indications that the NYDFS will increase its enforcement of the regulation over the coming year. The new guidance follows guidance and a request for assurance of operational preparedness related to COVID-19 that NYDFS issued last month. That earlier release required that regulated financial institutions create COVID-19 preparedness plans that, among other things, assess potential increased cyber-attacks and fraud and account for business continuity for remote working or where staff may be unavailable to work for long periods of time. The new cybersecurity guidance goes further in identifying and elaborating on three areas of risk: remote working, increased phishing and fraud, and the use of third-party vendors.

Remote Working

Many NYDFS regulated entities have had to make an abrupt shift to work from home arrangements to slow the spread of COVID-19. However, this shift has created new cybersecurity vulnerabilities and expanded the endpoints that criminals can target. The guidance details several of these vulnerabilities and NYDFS’ views on how to address them:

  • Secure Connections – ensure VPNs are secure and require multi-factor authentication to access. Note that the federal Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Enterprise VPN Security on March 13, 2020, that contains more information on securing VPNs.
  • Company-Issued Devices – ensure that all devices are secure and have appropriate security software installed for remote working, such as Endpoint Detection & Response (EDR) and Mobile Device Management (MDM) software.
  • Bring Your Own Device (BYOD) Expansion – where regulated entities have expanded their BYOD policies to enable broader BYOD usage, evaluate the security risks of that expansion and consider mitigating steps and compensating controls as appropriate.
  • Remote Working Communications – ensure that communication tools are properly configured to prevent access by hostile third-party actors.
  • Data Loss Prevention – ensure employees are not sending nonpublic information to personal email accounts and devices.

Increased Phishing and Fraud

Online fraud and phishing attempts have increased dramatically this year, including a new subset of COVID-19 related fraudulent schemes and – as reported by CISA – other attempts to exploit the COVID-19 pandemic. As employees no longer consistently work face-to-face, NYDFS emphasizes that its regulated entities may need to reevaluate their authentication procedures, remind employees to be alert for phishing and other social engineering schemes, and revisit broader employee phishing training to minimize the risk of falling victim to these new schemes.

Third Party Risk

Third-party vendors may struggle to deal with COVID-19 restrictions. NYDFS notes that its regulated entities should proactively engage critical vendors to determine how they are addressing the heightened cybersecurity risk environment and then reevaluate their own risk exposure accordingly. For more information on the risks COVID-19 places on IT service providers and mitigating those risks, click here.

***

This latest NYDFS guidance reflects its continued focus on its regulated entities’ cybersecurity practices and comes amid a number of other cybersecurity authorities providing targeted COVID-related updates, including the CISA alerts noted above. For more information on some of the increased cybersecurity threats facing organizations with a largely remote workforce, click here.

 

*Jake Nevola, a Law Clerk in our New York office, contributed to this entry.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide