The New York Department of Financial Services (“NYDFS”) recently issued new guidance to regulated entities regarding cybersecurity awareness during the COVID-19 pandemic - citing a significant increase in cybercrime and criminals seeking to exploit the pandemic.
The April 13 guidance arrives on the heels of NYDFS guidance issued in March, which included a request for the assurance of operational preparedness related to COVID-19, requiring regulated entities to submit a response to NYDFS describing the entity’s plan of preparedness to manage the risk of disruption to its services and operations. In the latest guidance, the NYDFS specifically identified several areas of heightened risk as a result of the COVID-19 crisis: 1) remote working; 2) increased phishing and fraud; and 3) third party risk. In the new guidance, the NYDFS reminds covered entities of their obligation to assess and appropriately address these risks, as required by NYDFS Cybersecurity Regulation (23 NYCRR Part 500).
The abrupt pivot to remote working environments in response to COVID-19 has created new security challenges, and attackers are exploiting these new vulnerabilities. The NYDFS cites the following risks and preventative measures:
- Secure Connections: secure remote access through measures such as multi-factor authentication and secure VPNs to encrypt data in transit.
- Company-Issued Devices: secure and lock down devices, including use of Endpoint Detection & Response and Mobile Device Management.
- Bring Your Own Device (BYOD): secure devices and consider expanding BYOD polices and compensating controls.
- Remote Working Communications: properly configure and provide guidance to employees on use of audio and video conferencing applications, as such applications are increasingly becoming the target of cybercriminals.
- Data Loss Prevention: remind employees not to use personal accounts and applications to send nonpublic information.
Increased Phishing and Fraud
The NYDFS cautions that there has been a significant increase in online fraud and phishing attempts related to COVID-19. In response to less face-to-face employee interaction, the NYDFS recommends reminding employees to be alert for phishing attempts and other similar frauds, and updating authentication protocols, especially for key actions such as security exceptions and wire transfers.
(For more information about recent cyber threats, see our summary of the recent joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and UK National Cyber Security Centre (NCSC) regarding coronavirus-related threats here.)
The NYDFS recommends re-evaluating risks to regulated entities’ third-party vendors in light of COVID-19, and coordinating with critical vendors to ensure that they are adequately addressing these new risks.
In this most recent guidance, the NYDFS also reminds regulated entities of their obligation to report covered cybersecurity events as promptly as possible, and within 72 hours at the latest.
It is clear that the NYDFS views COVID-19 related cyber risks as a direct call to action to regulated entities.