NYDFS Stresses Cybersecurity Awareness in COVID-19 Pandemic
In a reminder to regulated entities, the New York Department of Financial Services warned last week of a potential uptick in phishing, fraud, and third-party risk.
A few weeks after extending its Certification of Compliance deadline and asking financial institutions for their COVID-19 preparedness plans, the New York Department of Financial Services issued further guidance on cybersecurity awareness as it relates to the pandemic.
The NYDFS stressed that because of complications introduced by the crisis, all entities - banks, credit unions, trust companies, and other financial institutions - should ensure they're equipped to deal with heightened risk from a cybersecurity standpoint.
In a letter last week, the department warned about risks introduced by remote working, increased phishing and fraud, and third-party risks that could be introduced depending on the vendor an entity uses. With more employees shifting to working from home, organizations have more endpoints to secure and more vulnerabilities to worry about.
The bulk of NYDFS' guidance revolved around how to combat remote working threats.
For instance, NYDFS offered advice on the following:
- Secure Connections. Companies should make remote access as secure as possible under the circumstances. This includes the use of Multi-Factor Authentication and secure VPN connections that will encrypt all data in transit. See 23 NYCRR §§ 500.12 & 500.15.
- Company-Issued Devices. As new devices such as computers and phones are acquired or repurposed for remote working, regulated entities should ensure that they are properly secured. This includes locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software, such as Endpoint Detection & Response and Mobile Device Management.
- Bring Your Own Device (BYOD) Expansion. Regulated entities that have expanded their BYOD policies to enable mass remote working should be aware of the security risks and consider mitigating steps. Some personal devices are not properly secured or are already compromised. If an expanded BYOD policy is necessary, compensating controls should therefore be considered.
- Remote Working Communications. Remote working has increased reliance on video and audio-conferencing applications, but these tools are increasingly targeted by cybercriminals. Regulated entities should configure these tools to limit unauthorized access, and make sure that employees are given guidance on how to use them securely.
- Data Loss Prevention. Employees may be using unauthorized personal accounts and applications, such as email accounts, to remain productive while remote working. Regulated entities should remind employees not to send Nonpublic Information to personal email accounts and devices. Anticipating and solving productivity problems will reduce the temptation to use such devices.
The rest of NYDFS' guidance echoes advice that's been making the rounds for several weeks now but is still actionable. It warned of an increase in COVID-19-themed phishing attempts and fraud emails and encouraged employees to revisit trainings they may have taken or internal policies they may have received around mitigating such attacks. It also advised regulated entities to work with any third party vendors to address any risk that may exist in those relationships.
The NYDFS used the letter as an opportunity to remind entities that all regulated entities are bound by DFS’s cybersecurity regulation, 23 NYCRR Part 500, to not only assess risks like the aforementioned examples but also report incidents as soon as they can to the department - in under 72 hours, ideally.
As previously mentioned, the NYDFS has issued several bits of guidance in the wake of the COVID-19 pandemic. Last month the department asked all regulated entities to supply it with a preparedness plan in which the organization outlines preventative measures, an assessment of how susceptible its systems would be to cyberattacks, and how mitigation plans would be executed/overseen.
The department also pushed back its usual April 15 cybersecurity Certification of Compliance deadline - filing one is a requirement under the department's Cybersecurity Regulation (23 NYCRR 500) - for organizations that may be experiencing hardships related to the coronavirus.