Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic

  • Source:

Treliant Takeaway:

Treliant helps firms be compliant with DFS Part 500 Cybersecurity requirements and other regulatory cyber guidance and expectations. Our professionals include but are not limited to former Chief Information Security Officers (“CISO”) and Internal Auditors.  We understand how to make cybersecurity programs work and to prepare for regulatory exams.

Article Highlights:

As firms deal with the COVID-19 pandemic to continue operations, the DFS is reminding covered entities that there is heightened cybersecurity risks, and that under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest.  Prompt reporting will enable DFS to respond quickly to new threats as DFS works to protect consumers and the financial services industry.

Heightened cybersecurity risks highlighted are as follows:

  1. Remote Working – Regulated entities’ networks and Nonpublic Information[1]include:
    • Secure Connections – using Multi-Factor Authentication and secure VPN connections that will encrypt all data in transit. (23 NYCRR 500.12 & 500.15).
    • Company-Issued Devices – locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software.
    • Bring Your Own Device (BYOD) Expansion – Some personal devices are not properly secured or are already compromised; compensating controls should therefore be considered.
    • Remote Working Communications – configure tools to limit unauthorized access, and make sure that employees are given guidance on how to use them securely.
    • Data Loss Prevention – remind employees not to send Nonpublic Information to personal email accounts and devices.
  2. Increased Phishing and Fraud- There has been a significant increase in online fraud and phishing attempts related to COVID-19.  Firms should remind employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity.
  3. Third-Party Risk – Firms should re-evaluate the risks to critical vendors. (23 NYCRR 500.11) and coordinate with them to determine how they are adequately addressing the new risks.

CISOs and their teams need to have implemented measures already in place to ensure the secure operations of their firms’ businesses. CISOs will need to demonstrate cybersecurity compliance and be ready for a thorough look at the underlying processes by the regulators.

[1] 23 NYCRR § 500.01(g).