FINANCIAL SERVICES: 3 cybersecurity mandates for serving New York State amid COVID-19
As the COVID-19 crisis persists, financial services firms that operate in New York State are subject to two cybersecurity mandates designed to help ensure preparedness for future emergencies, with new guidance tailored to the coronavirus pandemic. In addition, firms that serve New York State residents must also comply with a New York State law that was recently enacted, independent of the pandemic response.
The new guidelines are from the New York Department of Financial Services (NYDFS) and the Financial Industry Regulatory Authority (FINRA); the law is the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect March 21.
The sudden, unexpected shift to remote work for nonessential businesses has caught some financial services firms unprepared. They may not have implemented inclusive, fully tested telecommute programs that address new risks created by COVID-19. Remote work, for instance, has increased reliance on video- and audioconferencing applications, which are increasingly being targeted by cybercriminals.
Additionally, the NYDFS guidance points to a “significant” increase in online fraud and phishing attempts related to COVID-19. It cites FBI reports that threat actors are using fake emails, purportedly from organizations like the U.S. Centers for Disease Control and Prevention, that ask for charitable contributions or provide pandemic updates. Other scams include emails or calls that offer government financial assistance, fake calls from a help desk requesting passwords, and malicious links in emails and websites.
This heightened risk of cybersecurity incidents paired with new guidance for safeguarding the organization has many financial services firms struggling to understand how their existing compliance obligations overlap with the new guidance. To help, we have compiled a one-stop summary of how the new COVID-19 guidance fits into the requirements of the three regulations.
NYDFS guidance for ‘Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic’
On April 13, NYDFS published new guidance on addressing cybersecurity risks heightened by COVID-19. The guidance applies to institutions regulated by the state’s cybersecurity law for financial services, known as NYDFS 23 NYCRR 500, and includes banks, insurance companies, and other financial services institutions.
The updated guidance focuses on three areas of risks: Remote working, increases in phishing and fraud, and third-party security risks. NYDFS also discusses secure remote access, including the use of multifactor authentication, secure VPN capabilities, and encryption of data in transit. Also mentioned are:
- Security for company-issued equipment such as computers and smartphones
- Security for employee-owned devices used for work (BYOD)
- Secure video- and audioconferencing applications, as well as security configurations to limit unauthorized access
- An assessment of risk-detection capabilities of third-party vendors
- Employee awareness and training on phishing and fraud emails related to COVID-19
The new COVID-19 guidance from NYDFS may impact an organization’s ability to meet the underlying NYDFS requirement, as the listed components might come under special scrutiny. For example, the guidance says that authentication protocols and processes may need to be updated to adequately address these evolving security risks, especially for wire transfers and security exceptions. The COVID-19 guidance also reminds regulated entities that cybersecurity events must be reported to the agency “as promptly as possible and within 72 hours at the latest.”
FINRA Rule 4370
FINRA Rule 4370, “Business Continuity Plans and Emergency Contact Information,” requires firms to create business continuity plans (BCPs) for procedures related to a future disaster and to review them annually. FINRA published notices March 9 and March 26 encouraging member firms to assess their BCPs for flexibility and security requirements needed to operate during a pandemic and listing the security measures to consider as firms respond to COVID-19.
Rule 4370, which preceded the COVID-19 notices, requires that firms make sure that BCPs are flexible enough to handle a range of emergency situations, including unexpected pandemics. In particular, the new notices advise businesses on establishing processes to supervise remote workers. They suggest that remote-communications technologies and employee home internet connections be tested to ensure they can capably connect to critical business systems. Other key provisions in the new notices state that businesses should:
- Regularly patch VPNs, as well as employee routers, computers, and mobile devices, with current security updates
- Use multifactor authentication for remote access
- Ensure that system and application entitlements are current
- Install anti-virus and anti-malware software
- Have a comprehensive incident-response plan
- Train employees on scams related to the COVID-19 pandemic
The New York SHIELD Act
The New York SHIELD Act, an update to New York’s data security law that was signed into law July 25, 2019, requires businesses that store or process electronic private information of New York State residents to adopt “reasonable” security safeguards. Under the SHIELD Act, “private information” includes personal data such as Social Security numbers, driver’s license numbers, financial account information, biometric data, and user access credentials, depending on other data and encryption factors.
The act stipulates that financial firms identify security program coordinators who are responsible for identifying current risks and assessing the ability of existing safeguards to control these risks. Other security requirements include:
- The ability to detect and respond to cyberattacks
- Regular testing of key security controls
- Protection of sensitive information from unauthorized access throughout the data lifecycle
- Implementation of a data lifecycle management program
- Inclusion of security capabilities in written contracts with third-party service providers
- Employee security training and awareness programs
Despite comparatively mature cybersecurity programs, COVID-19 has disrupted normal operations in the financial services industry. At a time when employees are geographically scattered and targeted by cybercriminals, businesses face extraordinary security challenges. Together, the new guidance paired with existing regulatory requirements can help firms remain vigilant, secure, and better prepared for an uncertain future.
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
Coronavirus Resource Center
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.