NYDFS Issues New Guidance Regarding COVID-19 Cybersecurity Risks

Mintz - Privacy & Cybersecurity Viewpoints

The New York Department of Financial Services (“NYDFS”) recently issued new guidance to regulated entities regarding cybersecurity awareness during the COVID-19 pandemic - citing a significant increase in cybercrime and criminals seeking to exploit the pandemic. 

The April 13 guidance arrives on the heels of NYDFS guidance issued in March, which included a request for the assurance of operational preparedness related to COVID-19, requiring regulated entities to submit a response to NYDFS describing the entity’s plan of preparedness to manage the risk of disruption to its services and operations.  In the latest guidance, the NYDFS specifically identified several areas of heightened risk as a result of the COVID-19 crisis: 1) remote working; 2) increased phishing and fraud; and 3) third party risk.  In the new guidance, the NYDFS reminds covered entities of their obligation to assess and appropriately address these risks, as required by NYDFS Cybersecurity Regulation (23 NYCRR Part 500). 

Remote Working

The abrupt pivot to remote working environments in response to COVID-19 has created new security challenges, and attackers are exploiting these new vulnerabilities.  The NYDFS cites the following risks and preventative measures:

  • Secure Connections:  secure remote access through measures such as multi-factor authentication and secure VPNs to encrypt data in transit.
  • Company-Issued Devices:  secure and lock down devices, including use of Endpoint Detection & Response and Mobile Device Management.
  • Bring Your Own Device (BYOD):  secure devices and consider expanding BYOD polices and compensating controls.
  • Remote Working Communications:  properly configure and provide guidance to employees on use of audio and video conferencing applications, as such applications are increasingly becoming the target of cybercriminals.
  • Data Loss Prevention:  remind employees not to use personal accounts and applications to send nonpublic information. 

Increased Phishing and Fraud

The NYDFS cautions that there has been a significant increase in online fraud and phishing attempts related to COVID-19. In response to less face-to-face employee interaction, the NYDFS recommends reminding employees to be alert for phishing attempts and other similar frauds, and updating authentication protocols, especially for key actions such as security exceptions and wire transfers.

(For more information about recent cyber threats, see our summary of the recent joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and UK National Cyber Security Centre (NCSC) regarding coronavirus-related threats here.)

Third-Party Risk

The NYDFS recommends re-evaluating risks to regulated entities’ third-party vendors in light of COVID-19, and coordinating with critical vendors to ensure that they are adequately addressing these new risks.

In this most recent guidance, the NYDFS also reminds regulated entities of their obligation to report covered cybersecurity events as promptly as possible, and within 72 hours at the latest.  

It is clear that the NYDFS views COVID-19 related cyber risks as a direct call to action to regulated entities.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.