The new cybersecurity guidance provides recommendations for regulated entities to consider implementing to maintain robust compliance with the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The guidance is timely, as there have been indications that the NYDFS will increase its enforcement of the regulation over the coming year. The new guidance follows guidance and a request for assurance of operational preparedness related to COVID-19 that NYDFS issued last month. That earlier release required that regulated financial institutions create COVID-19 preparedness plans that, among other things, assess potential increased cyber-attacks and fraud and account for business continuity for remote working or where staff may be unavailable to work for long periods of time. The new cybersecurity guidance goes further in identifying and elaborating on three areas of risk: remote working, increased phishing and fraud, and the use of third-party vendors.
Many NYDFS regulated entities have had to make an abrupt shift to work from home arrangements to slow the spread of COVID-19. However, this shift has created new cybersecurity vulnerabilities and expanded the endpoints that criminals can target. The guidance details several of these vulnerabilities and NYDFS’ views on how to address them:
- Secure Connections – ensure VPNs are secure and require multi-factor authentication to access. Note that the federal Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Enterprise VPN Security on March 13, 2020, that contains more information on securing VPNs.
- Company-Issued Devices – ensure that all devices are secure and have appropriate security software installed for remote working, such as Endpoint Detection & Response (EDR) and Mobile Device Management (MDM) software.
- Bring Your Own Device (BYOD) Expansion – where regulated entities have expanded their BYOD policies to enable broader BYOD usage, evaluate the security risks of that expansion and consider mitigating steps and compensating controls as appropriate.
- Remote Working Communications – ensure that communication tools are properly configured to prevent access by hostile third-party actors.
- Data Loss Prevention – ensure employees are not sending nonpublic information to personal email accounts and devices.
Increased Phishing and Fraud
Online fraud and phishing attempts have increased dramatically this year, including a new subset of COVID-19 related fraudulent schemes and – as reported by CISA – other attempts to exploit the COVID-19 pandemic. As employees no longer consistently work face-to-face, NYDFS emphasizes that its regulated entities may need to reevaluate their authentication procedures, remind employees to be alert for phishing and other social engineering schemes, and revisit broader employee phishing training to minimize the risk of falling victim to these new schemes.
Third Party Risk
Third-party vendors may struggle to deal with COVID-19 restrictions. NYDFS notes that its regulated entities should proactively engage critical vendors to determine how they are addressing the heightened cybersecurity risk environment and then reevaluate their own risk exposure accordingly. For more information on the risks COVID-19 places on IT service providers and mitigating those risks, click here.
This latest NYDFS guidance reflects its continued focus on its regulated entities’ cybersecurity practices and comes amid a number of other cybersecurity authorities providing targeted COVID-related updates, including the CISA alerts noted above. For more information on some of the increased cybersecurity threats facing organizations with a largely remote workforce, click here.
Jake Nevola, a Law Clerk in our New York office, contributed to this entry.
Authored by Peter Marta, Paul Otto and Timothy Tobin.