On April 13, the New York State Department of Financial Services (DFS) issued guidance to its regulated institutions on how to manage cyber-risks connected to remote working, amid a “significant” increase in cybercrime associated with the global COVID-19 pandemic. DFS recommends that companies use secure connections, including multifactor authentication and secure VPN connections for connecting to company networks or systems, and that employees use only company-issued devices that can be locked down remotely if needed.
Company devices should also include appropriate security technology, such as endpoint detection and response and mobile device management. Likewise, video- and audioconferencing software should be configured to limit unauthorized access, and employees should be trained on how to use it securely.
If companies have expanded their “bring your own device” policies to enable remote working, they should consider implementing compensating measures and device security. As for personal accounts and applications (such as email or mobile apps), DFS advises against using them to send nonpublic information, in order to prevent data losses.
DFS also has joined other state and federal regulators to warn of an increase in online fraud and phishing attempts related to COVID-19. Now that face-to-face work is limited, DFS recommends updating and training employees on authentication protocols for key actions such as security exceptions and wire transfers. Third-party risks should also be assessed in light of the challenges created by the pandemic.
DFS reminds regulated institutions that they are already required outside the current environment to assess cybersecurity risks, and to address them appropriately. If an incident qualifies as a “covered cybersecurity incident” under 23 NYCRR sec. 500.17(a), the regulated institution must report it to DFS “as promptly as possible” and within 72 hours at the latest.