FINANCIAL SERVICES: 3 cybersecurity mandates for serving New York State amid COVID-19

On April 13, NYDFS published new guidance on addressing cybersecurity risks heightened by COVID-19. The guidance applies to institutions regulated by the state’s cybersecurity law for financial services, known as NYDFS 23 NYCRR 500, and includes banks, insurance companies, and other financial services institutions. 

The updated guidance focuses on three areas of risks: Remote working, increases in phishing and fraud, and third-party security risks. NYDFS also discusses secure remote access, including the use of multifactor authentication, secure VPN capabilities, and encryption of data in transit. Also mentioned are: 

• Security for company-issued equipment such as computers and smartphones 
• Security for employee-owned devices used for work (BYOD)
• Secure video- and audioconferencing applications, as well as security configurations to limit unauthorized access
• An assessment of risk-detection capabilities of third-party vendors
• Employee awareness and training on phishing and fraud emails related to COVID-19

The new COVID-19 guidance from NYDFS may impact an organization’s ability to meet the underlying NYDFS requirement, as the listed components might come under special scrutiny. For example,  the guidance says that authentication protocols and processes may need to be updated to adequately address these evolving security risks, especially for wire transfers and security exceptions. The COVID-19 guidance also reminds regulated entities that cybersecurity events must be reported to the agency “as promptly as possible and within 72 hours at the latest.”

FINRA Rule 4370, “Business Continuity Plans and Emergency Contact Information,” requires firms to create business continuity plans (BCPs) for procedures related to a future disaster and to review them annually. FINRA published notices March 9 and March 26 encouraging member firms to assess their BCPs for flexibility and security requirements needed to operate during a pandemic and listing the security measures to consider as firms respond to COVID-19. 

Rule 4370, which preceded the COVID-19 notices, requires that firms make sure that BCPs are flexible enough to handle a range of emergency situations, including unexpected pandemics. In particular, the new notices advise businesses on establishing processes to supervise remote workers. They suggest that remote-communications technologies and employee home internet connections be tested to ensure they can capably connect to critical business systems. Other key provisions in the new notices state that businesses should:

• Regularly patch VPNs, as well as employee routers, computers, and mobile devices, with current security updates
• Use multifactor authentication for remote access 
• Ensure that system and application entitlements are current
• Install anti-virus and anti-malware software
• Have a comprehensive incident-response plan
• Train employees on scams related to the COVID-19 pandemic 

The New York SHIELD Act, an update to New York’s data security law that was signed into law July 25, 2019, requires businesses that store or process electronic private information of New York State residents to adopt “reasonable” security safeguards. Under the SHIELD Act, “private information” includes personal data such as Social Security numbers, driver’s license numbers, financial account information, biometric data, and user access credentials, depending on other data and encryption factors. 

The act stipulates that financial firms identify security program coordinators who are responsible for identifying current risks and assessing the ability of existing safeguards to control these risks. Other security requirements include:

• The ability to detect and respond to cyberattacks 
• Regular testing of key security controls
• Protection of sensitive information from unauthorized access throughout the data lifecycle
• Implementation of a data lifecycle management program
• Inclusion of security capabilities in written contracts with third-party service providers
• Employee security training and awareness programs 

Despite comparatively mature cybersecurity programs, COVID-19 has disrupted normal operations in the financial services industry. At a time when employees are geographically scattered and targeted by cybercriminals, businesses face extraordinary security challenges. Together, the new guidance paired with existing regulatory requirements can help firms remain vigilant, secure, and better prepared for an uncertain future.

Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy

703.847.4418