State Regulatory Developments

NYDFS Issues Guidance on Cybersecurity Awareness During COVID-19 Crisis

The New York Department of Financial Services (NYDFS) recently issued an industry letter, providing guidance to regulated entities on cybersecurity awareness during the COVID-19 pandemic.

The industry letter highlights several areas of heightened cybersecurity risk posed by the COVID-19 pandemic, such as an increase in cybercrime and online fraud/phishing attempts.  In addition, the NYDFS states that, as required by the NYDFS’s cybersecurity regulation, regulated entities should assess such areas of heightened risk and address them appropriately.

Remote Working

  • In general, regulated entities must ensure that their networks and devices are properly secured (e.g., using VPN connections that encrypt data transmissions).
  • Regulated entities should be aware of the security risks involved with using personal devices to work remotely and should consider mitigating steps.
  • Video/audio-conferencing applications should be configured to limit unauthorized access and employees must be given guidance on how to securely use such applications. 
  • Regulated entities should also remind employees not to transmit nonpublic information through unauthorized personal accounts and devices.

Increased Phishing and Fraud

  • In response to the significant increase in online phishing fraud, “[r]egulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity.”
  • Regulated entities should consider updating authentication protocols, “especially for key actions, like security exceptions and wire transfers.”

Third-Party Risk

  • Regulated entities should evaluate how their critical third-party vendors are addressing the new risks related to COVID-19.

The NYDFS also reminds regulated entities that covered cybersecurity events must be reported “as promptly as possible and within 72 hours at the latest.”