New York DFS Warns Industry Of Heightened Cyber-Risks

KL
Kramer Levin Naftalis & Frankel LLP

Contributor

Kramer Levin provides its clients proactive, creative and pragmatic solutions that address today’s most challenging legal issues. The firm is headquartered in New York with offices in Silicon Valley and Paris and fosters a strong culture of involvement in public and community service. For more information, visit www.kramerlevin.com
On April 13, the New York State Department of Financial Services (DFS) issued guidance to its regulated institutions on how to manage cyber-risks connected to remote working, amid a "significant" increase in cybercrime associated ...
United States Finance and Banking

On April 13, the New York State Department of Financial Services (DFS) issued guidance to its regulated institutions on how to manage cyber-risks connected to remote working, amid a "significant" increase in cybercrime associated with the global COVID-19 pandemic. DFS recommends that companies use secure connections, including multifactor authentication and secure VPN connections for connecting to company networks or systems, and that employees use only company-issued devices that can be locked down remotely if needed.

Company devices should also include appropriate security technology, such as endpoint detection and response and mobile device management. Likewise, video- and audioconferencing software should be configured to limit unauthorized access, and employees should be trained on how to use it securely.

If companies have expanded their "bring your own device" policies to enable remote working, they should consider implementing compensating measures and device security. As for personal accounts and applications (such as email or mobile apps), DFS advises against using them to send nonpublic information, in order to prevent data losses.

DFS also has joined other state and federal regulators to warn of an increase in online fraud and phishing attempts related to COVID-19. Now that face-to-face work is limited, DFS recommends updating and training employees on authentication protocols for key actions such as security exceptions and wire transfers. Third-party risks should also be assessed in light of the challenges created by the pandemic.

DFS reminds regulated institutions that they are already required outside the current environment to assess cybersecurity risks, and to address them appropriately. If an incident qualifies as a "covered cybersecurity incident" under 23 NYCRR sec. 500.17(a), the regulated institution must report it to DFS "as promptly as possible" and within 72 hours at the latest.

Originally published May 01, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More