United States: COVID-19 US: New York DFS Advises Regulated Entities Regarding New Cyber Risks Posed By COVID-19

On April 13, the New York Department of Financial Services published an Industry Letter which advises all New York State regulated entities of certain heightened cybersecurity risks resulting from the COVID-19 pandemic. In light of this guidance, New York regulated entities including insurers and insurance producers that are licensed (and not just domiciled) in New York should review their cybersecurity policies and procedures to ensure that such risks are appropriately addressed.

On April 13, the New York Department of Financial Services ("NY DFS") published an Industry Letter which advises all New York State regulated entities of certain heightened cybersecurity risks resulting from the COVID-19 pandemic. In light of this guidance, New York regulated entities including insurers and insurance producers that are licensed (and not just domiciled) in New York should review their cybersecurity policies and procedures to ensure that such risks are appropriately addressed.

The NY DFS identifies heightened cybersecurity risk specifically with regard to (i) remote working, (ii) increased phishing and fraud, and (iii) third-party risks.

Regarding remote working, the NY DFS warns that due to the shift to mass remote working, entities' networks and information, including any nonpublic personal information held by such entities, are more vulnerable to cyber risks. Specifically, the NY DFS identifies increased cyber risk relating to remote access to networks, the use of company-issued devices and the use of personal devices by employees for business purposes. The NY DFS also notes that remote working communications, such as the use of video and audio-conferencing applications, are increasingly being targeted by cybercriminals, and advises that these tools should be configured to limit access and that employees be properly trained to use them securely. Given the foregoing, the NY DFS advises that regulated entities identify and consider ways to properly secure the use of such networks and devices.

With regard to the increased risk of phishing and fraud, the NY DFS notes that there has been an increase in phishing and fraud attempts, notably by criminals using fake emails asking for charitable donations or offering monetary relief. The NY DFS advises that regulated entities remind employees to be aware of the possibility of such attempts and to revisit phishing training and consider updating authentication protocols.

The NY DFS also advises that regulated entities evaluate the risk to critical third-party vendors in light of the COVID-19 pandemic, and that regulated entities should coordinate with such vendors to assess how they are adequately addressing new cyber risks.

Lastly, the NY DFS reminds all regulated entities that, pursuant to 23 NYCRR 500.17(a), all cybersecurity events must be reported to the NY DFS as promptly as possible but at the latest within 72 hours after determination that such an event has occurred.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.