Reminding NY DFS regulated entities that its Cybersecurity Regulation (23 NYCRR Part 500) requires assessment of cybersecurity risk, and the reporting of certain cybersecurity events within 72 hours, the DFS issued guidance specific to the current COVID-19 pandemic. The DFS guidance is appropriate for any business, whether or not subject to the NY Regulation. The DFS also warned of heightened cyber risks in the current environment as criminals seek to exploit the situation.
Through its guidance (https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200413_covid19_cybersecurity_awareness) issued last week, the DFS highlighted the following:
- Remote working, implemented abruptly, has exposed new vulnerabilities. Businesses should make sure connections to their systems and data are secure, using secure VPN connections and multi-factor authentication.
- Devices used to conduct business, whether new or repurposed (including computers, phones and other devices) must have appropriate administrative and technical safeguards, such as appropriate security software, and the inability to add or delete apps.
- Consider carefully the Bring Your Own Device (BYOD) policy in view of the need to expand the use of personal devices for conducting business remotely. Some personal devices may have been compromised before they were used for working remotely. Consider appropriate security solutions and compensating controls.
- Properly configure video and audio conferencing tools, which may have vulnerabilities that have been exploited by cybercriminals.
- Anticipate and avoid work-arounds that personnel could develop to help get their jobs done, which may introduce vulnerabilities. Work-arounds can include the use of personal online accounts rather than company systems. Remind personnel of company safeguards and potential threats.
- Update awareness training and other protocols to protect against the increase in online fraud and phishing related to COVID-19. Fraudulent requests for charitable contributions, purported government relief offers and fake information from the CDC and others have proliferated.
- Coordinate with critical vendors, which are facing the same challenges, to determine how they are adequately addressing the new risks.
Visit our COVID-19 Resource Center often for up-to-date information to help you stay informed of the legal issues related to COVID-19.