The New York Department of Financial Services (NYDFS) recently issued an industry letter, providing guidance to regulated entities on cybersecurity awareness during the COVID-19 pandemic.
The industry letter highlights several areas of heightened cybersecurity risk posed by the COVID-19 pandemic, such as an increase in cybercrime and online fraud/phishing attempts. In addition, the NYDFS states that, as required by the NYDFS’s cybersecurity regulation, regulated entities should assess such areas of heightened risk and address them appropriately.
- In general, regulated entities must ensure that their networks and devices are properly secured (e.g., using VPN connections that encrypt data transmissions).
- Regulated entities should be aware of the security risks involved with using personal devices to work remotely and should consider mitigating steps.
- Video/audio-conferencing applications should be configured to limit unauthorized access and employees must be given guidance on how to securely use such applications.
- Regulated entities should also remind employees not to transmit nonpublic information through unauthorized personal accounts and devices.
Increased Phishing and Fraud
- In response to the significant increase in online phishing fraud, “[r]egulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity.”
- Regulated entities should consider updating authentication protocols, “especially for key actions, like security exceptions and wire transfers.”
- Regulated entities should evaluate how their critical third-party vendors are addressing the new risks related to COVID-19.
The NYDFS also reminds regulated entities that covered cybersecurity events must be reported “as promptly as possible and within 72 hours at the latest.”