On April 13, 2020, the New York Department of Financial Services (NYDFS) issued new guidance to all New York State Regulated Entities to highlight “a significant increase in cybercrime” related to the COVID-19 epidemic. NYDFS’s guidance identified “several areas of heightened cybersecurity risk as a result of the crisis.” These risks include:
- Remote Working – The mass shift to remote working forced by COVID-19 has created new security threats which are being exploited by hackers. Regulated entities should take proactive steps to address these new security threats. Among other things, regulated entities should take steps to make their remote access as secure as possible by using multi-factor authentication and VPNs. Companies also should ensure that devices used to access networks are properly secured and/or controlled. Regulated entities also must take steps to ensure the security of remote working communications, like video conferencing applications. Finally, companies should ensure that employees are not accessing or sending sensitive or non-public information through personal email accounts or devices.
- Increased Phishing and Fraud – In response to a significant increase in online fraud and phishing attempts related to COVID-19, regulated entities should remind employees to be alert for phishing and fraud emails. Employees also should be encouraged to revisit trainings and internal policies on phishing and fraud. Moreover, remote working conditions may require regulated entities to address or modify their authentication protocols.
- Third-Party Risk – Regulated entities must be aware of cybersecurity risks facing their critical vendors, and they must coordinate with their vendors to ensure that new risks are adequately addressed.
NYDFS’s guidance directs all regulated entities to assess these risks and address them appropriately, as called for in NYDFS’s cybersecurity regulation, 23 NYCRR Part 500. The guidance further reminds regulated entities that, under the NYDFS cybersecurity regulation, covered “Cybersecurity Events” must be reported to NYDFS as promptly as possible and within 72 hours at the latest.”
The NYDFS guidance serves as yet another reminder that companies must be aware of the cybersecurity risks related to COVID-19. Despite the challenges posed by COVID-19, companies must remain vigilant if they wish to avoid regulatory scrutiny and/or financial penalties.