September 19, 2020

Volume X, Number 263

September 18, 2020

Subscribe to Latest Legal News and Analysis

September 17, 2020

Subscribe to Latest Legal News and Analysis

New York Department of Financial Services Issues New Guidance Regarding COVID-19 Cybersecurity Risks

On April 13, 2020, the New York Department of Financial Services (NYDFS) issued new guidance to all New York State Regulated Entities to highlight “a significant increase in cybercrime” related to the COVID-19 epidemic. NYDFS’s guidance identified “several areas of heightened cybersecurity risk as a result of the crisis.” These risks include:

  • Remote Working – The mass shift to remote working forced by COVID-19 has created new security threats which are being exploited by hackers. Regulated entities should take proactive steps to address these new security threats. Among other things, regulated entities should take steps to make their remote access as secure as possible by using multi-factor authentication and VPNs. Companies also should ensure that devices used to access networks are properly secured and/or controlled. Regulated entities also must take steps to ensure the security of remote working communications, like video conferencing applications. Finally, companies should ensure that employees are not accessing or sending sensitive or non-public information through personal email accounts or devices.

  • Increased Phishing and Fraud – In response to a significant increase in online fraud and phishing attempts related to COVID-19, regulated entities should remind employees to be alert for phishing and fraud emails. Employees also should be encouraged to revisit trainings and internal policies on phishing and fraud. Moreover, remote working conditions may require regulated entities to address or modify their authentication protocols.

  • Third-Party Risk – Regulated entities must be aware of cybersecurity risks facing their critical vendors, and they must coordinate with their vendors to ensure that new risks are adequately addressed.

NYDFS’s guidance directs all regulated entities to assess these risks and address them appropriately, as called for in NYDFS’s cybersecurity regulation, 23 NYCRR Part 500. The guidance further reminds regulated entities that, under the NYDFS cybersecurity regulation, covered “Cybersecurity Events” must be reported to NYDFS as promptly as possible and within 72 hours at the latest.”

The NYDFS guidance serves as yet another reminder that companies must be aware of the cybersecurity risks related to COVID-19. Despite the challenges posed by COVID-19, companies must remain vigilant if they wish to avoid regulatory scrutiny and/or financial penalties.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 105


About this Author

Peter Baldwin, Securities lawyer, Drinker Biddle

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147