Citing a “significant increase in cybercrime” during the COVID-19 pandemic, the New York Department of Financial Services (DFS) issued guidance to all New York State regulated entities identifying areas of heightened cybersecurity risks. DFS advised regulated entities they should assess and address these areas as per cybersecurity regulation 23 NYCRR Part 500.

Heightened Risk #1: Remote Working. Cyber criminals are exploiting the abrupt shift to remote working due to COVID-19.

  • Secure Connections. Make remote access as secure as reasonably possible including the use of multi-factor authentication and secure VPN connections that encrypt all data in transit.
  • Company-Issued Devices. Computers and phones for remote working should be secured by preventing users from adding or deleting apps and by installing security software.
  • Bring Your Own Device (BYOD) Expansion. Because some personal devices are not properly secured or are already compromised, consider compensating by increasing controls.
  • Remote Working Communications. Video and audio conferencing are on the rise during the pandemic. Whenever possible, configure the tools to limit unauthorized access and provide guidance to employees on how to securely use them.
  • Data Loss Prevention. Remind employees not to send nonpublic information to personal email accounts and devices.

Heightened Risk #2: Increased Phishing and Fraud. Criminals have significantly increased online fraud and phishing attempts related to COVID-19.

  • Employees. Remind employees to be alert for phishing and fraud emails.
  • Training. Provide phishing training and testing as soon as practicable.
  • Authentication Protocols. Determine if authentication protocols need to be updated, especially for actions like security exceptions and wire transfers.

Heightened Risk #3: Third-Party Risk. Cybersecurity challenges during COVID-19 have also affected third-party vendors.

  • Third-party vendors. Regulated entities should reevaluate the cyber risks to critical vendors and determine how they are adequately addressing the new risks.

Finally, DFS cautioned regulated entities to stay vigilant during COVID-19 because by following good cybersecurity practices they can identify, mitigate, and manage risks.