The New York Department of Financial Services (DFS) issued guidance to its regulated entities regarding heightened cybersecurity awareness as a result of the COVID-19 pandemic. The DFS has identified several areas of heightened cybersecurity risk as a result of this crisis: remote work, phishing and fraud and third-party risk.
As called for by DFS’s cybersecurity regulation, regulated entities should assess the risks described below and address them appropriately, says the DFS.
According to the DFS, heightened risks and recommendations include:
- Remote Working
- Secure Connections. Companies should make remote access as secure as possible under the circumstances. This includes the use of Multi-Factor Authentication and secure VPN connections that will encrypt all data in transit.
- Company-Issued Devices. As new devices such as computers and phones are acquired or repurposed for remote working, regulated entities should ensure that they are properly secured. This includes locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software, such as Endpoint Detection & Response and Mobile Device Management.
- Bring Your Own Device (BYOD) Expansion. Regulated entities that have expanded their BYOD policies to enable mass remote working should be aware of the security risks and consider mitigating steps. Some personal devices are not properly secured or are already compromised. If an expanded BYOD policy is necessary, compensating controls should therefore be considered.
- Remote Working Communications. Remote working has increased reliance on video and audio-conferencing applications, but these tools are increasingly targeted by cybercriminals. Regulated entities should configure these tools to limit unauthorized access, and make sure that employees are given guidance on how to use them securely.
- Data Loss Prevention. Employees may be using unauthorized personal accounts and applications, such as email accounts, to remain productive while remote working. Regulated entities should remind employees not to send Nonpublic Information to personal email accounts and devices. Anticipating and solving productivity problems will reduce the temptation to use such devices.
- Increased Phishing and Fraud
There has been a significant increase in online fraud and phishing attempts related to COVID-19. For example, the FBI has reported that criminals are using fake emails that pretend to be from the Centers for Disease Control and Prevention (“CDC”), ask for charitable contributions, or offer COVID-19 relief such as government checks.
Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity. Now that face-to-face work is curtailed, authentication protocols may need to be updated – especially for key actions, like security exceptions and wire transfers.
- Third-Party Risk
The challenges created by the COVID-19 pandemic have also affected third-party vendors, and regulated entities should re-evaluate the risks to critical vendors. Regulated entities should coordinate with critical vendors to determine how they are adequately addressing the new risks.