DFS Issues Guidance in Light of COVID-19 Cyber Risks

Last week, the New York Department of Financial Services (“DFS”) issued guidance to entities it regulates about maintaining cybersecurity awareness during the COVID-19 pandemic. Businesses have likely already seen the numerous news alerts regarding the increased risk of cyberthreats as bad actors take advantage of the upheaval caused by the current health crisis. At the end of March, the FBI reported that its Internet Crime Complaint Center had already received over 1200 complaints of COVID-19-related scams.

In particular, the increased use of remote working arrangements to continue operations has put a target on businesses and any sensitive data they use, store, and transmit. Businesses should be aware that their normal cybersecurity procedures may not adequately cover the vulnerabilities that are created when employees work from home.

In its guidance, DFS outlines some measures to address these new vulnerabilities, including ensuring that remote access points are protected by using multi-factor authentication and secure VPN connections, requiring that company-issued devices are protected against modification or hacking, and advising employees on how to properly use video and audio-conferencing applications in a secure fashion. If using the popular web-conferencing application Zoom, for example, certain features of Zoom can be employed to help guard against unauthorized access, such as requiring a password to enter a Zoom call and enabling the “Waiting Room” feature, which gives the host the ability to invite attendees into the call. DFS also warns against allowing employees to use unsecured personal devices and personal accounts and applications for business purposes.

In response to these potential vulnerabilities and the reports of increased cybercrime, DFS expects the entities it regulates to assess the risks created by this crisis and address them accordingly. Entities should be particularly mindful of several specific obligations under the DFS cybersecurity regulations.

First, entities must identify, evaluate, and respond to risks specific to the COVID-19 health crisis when conducting their risk assessment. If a business’s annual risk assessment is not due for some time, it should separately identify and evaluate these risks now, rather than waiting, in order to best safeguard against any current threats.

Second, entities should be especially vigilant about the protections its third-party vendors use to safeguard data. In its guidance, DFS notes entities should re-evaluate the risks that may affect their critical vendors and coordinate with those vendors to ensure they are maintaining adequate levels of security.

Finally, all regulated entities should ensure that, if they are the victim of a qualifying “cybersecurity event,” as defined by the DFS cybersecurity regulations, they report the event to the DFS Superintendent within 72 hours of determining that notification of the event must be provided to any government body, agency, or other supervising authority, or that the event has a “reasonable likelihood of materially harming any material part of the normal operation” of the business.

Entities may start seeing increased activity from DFS in terms of cybersecurity oversight, in light of the state’s consumer-friendly approach and the particular risks the COVID-19 outbreak has created. Evaluating and responding to these risks now will help businesses avoid scrutiny down the line for any inadequate cybersecurity protections.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2020 Harter Secrest & Emery LLP