In view of Iran’s vows to retaliate against the United States for the death of Quassem Soleimani, the NYDFS has issued an industry letter to all regulated entities regarding the need for heightened cybersecurity precautions.

The letter notes that it “is particularly concerning that Iran has a history of launching cyber-attacks against the U.S. and the financial services industry,” citing 2012-2013 Iranian-sponsored cyber-attacks against several major U.S. banks. The letter also cites a June 2019 U.S. government advisory observing “a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies” using highly destructive attacks that delete or encrypt data.

The DFS letter calls for heightened vigilance against cyber-attacks and strongly recommends that regulated entities “ensure that all vulnerabilities are patched/remediated (especially publicly disclosed vulnerabilities), ensure that employees are adequately to deal with phishing attacks, fully implement multi-factor authentication, review and update disaster recovery plans, and respond quickly to further alerts from the government or other reliable sources. It is particularly important to make sure that any alerts or incidents are responded to promptly even outside of regular business hours – Iranian hackers are known to prefer attacking over the weekends and at night precisely because they know that weekday staff may not be available to respond immediately.”

Regulated entities are also directed to promptly notify DFS of any “significant or noteworthy cyber-attack,” noting that DFS’s cyber regulation requires notification as soon as possible but in no event later than 72 hours after a “material cybersecurity event.”

In what the New York Department of Financial Services (NYDFS) is touting as the first guidance by a U.S. regulator on cyber insurance, NYDFS announced on February 4, 2021, in Insurance Circular Letter No. 2 (2021), that it has issued a new Cyber Insurance Risk Framework (Framework) addressed to authorized property/casualty insurers that write cyber insurance. Nonetheless, NYDFS states “property/casualty insurers that do not write cyber insurance should still evaluate their exposure to ‘silent risk’ and take appropriate steps to reduce that exposure.”

The Framework consists of seven practices that “all authorized property/casualty insurers that write cyber insurance should employ,” while stating that “[E]ach insurer should take an approach that is proportionate to its risk.” The seven practices include:

  • Establish a Formal Cyber Insurance Risk Strategy
  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk
  • Evaluate Systemic Risk
  • Rigorously Measure Insured Risk
  • Educate Insureds and Insurance Producers
  • Obtain Cybersecurity Expertise
  • Require Notice to Law Enforcement

The background of the issuance of the Framework follows the growth of the cyber insurance market, the increase in cyber risks and payouts, and that “it is clear that cybersecurity is now critically important to almost every aspect of modern life—from consumer protection to national security.” NYDFS recognizes that “as cyber risk has increased, so too has risk in underwriting cyber insurance.” Statistics cited in the Framework include the fact that based upon a survey it developed, from early 2018 to late 2019, “the number of insurance claims arising from ransomware increased by 180%, and the average cost of a ransomware claim rose by 150%. Moreover, the number of ransomware attacks reported to DFS almost doubled in 2020 from the previous year…[T]he global cost of ransomware was approximately $20 billion in 2020.”

NYDFS cautions that insurers “are not yet able to accurately measure cyber risk” and before offering that line of product to certain organizations, insurers should assess the risk of the insured.

NYDFS calls the growing cyber risk “an urgent challenge for insurers.” The NYDFS Letter can be accessed here: https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02

The New York Department of Financial Services (DFS), which regulates certain covered entities and licensed persons in the financial services sector doing business in New York, recently provided guidance to its regulated entities that the annually required Certificate of Compliance with the DFS Cybersecurity Regulations must be submitted no later than April 15, 2021.

To find out whether a company is covered by the DFS Cybersecurity Regulations, DFS has established a portal to search applicable regulated entities. The portal also is used to file the annual certification. According to DFS, “All Covered Entities and licensed persons who are not fully exempt from the Cybersecurity Regulation are required to submit a Certificate of Compliance no later than April 15, 2021, attesting to their compliance for the 2020 calendar year.”

The publication further states that “if a Covered Entity or licensed person has an exemption that is still valid, they do not need to file a new Notice of Exemption in 2021.”

For more information on the DFS Cybersecurity Regulation requirements, click here.

You probably heard about the recent hack of Twitter accounts that took place on July 15, 2020. The hackers took over several prominent Twitter accounts, which resulted in a scam that netted over $118,000 in bitcoin for the hackers. One of the most startling things about the cyberattack was that it was led by a 17-year-old along with his accomplices. The hackers took over the accounts of well-known individuals including Barack Obama, Kim Kardashian West, Kanye West, Bill Gates, Elon Musk and many others, and tweeted a “double your bitcoin scam” from these Twitter accounts directing people to send bitcoin to fraudulent accounts.

The New York Department of Financial Services (NYDFS) issued a detailed report last week regarding this hack into the social media giant. The report found that “the Twitter Hack happened in three phases: (1) social engineering attacks to gain access to Twitter’s network; (2) taking over accounts with desirable usernames (or “handles”) and selling access to them; and (3) taking over dozens of high-profile Twitter accounts and trying to trick people into sending the Hackers bitcoin. All this happened in roughly 24 hours.”

How did the hackers do it? According to the report, the first phase of the attack started with the hackers stealing credentials of Twitter employees the old-fashioned way by using social engineering. The hackers posed as Twitter IT employees and contacted several Twitter employees claiming there was a problem with Twitter’s Virtual Private Network (VPN). The report stated that the “hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network (VPN). Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA [multi-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did.”

The hackers then went surfing within the Twitter system looking for employees with access to internal tools to take over accounts. This led to the second phase of the attack: taking over and selling access to original gangster (OG) Twitter accounts. According to the report, an OG Twitter account refers to accounts  designated by a single word, letter, or number and adopted by Twitter’s early users. The hackers discussed taking over and selling the OG accounts in various online chat messages. On July 15, the hackers “ hijacked multiple OG Twitter accounts and tweeted screenshots of one of the internal tools from some of the accounts to the accounts’ respective followers.

The final phase of the hack involved  taking over various cryptocurrency company accounts and directing users to a link to a scam bitcoin address. According to a tweet sent out by Twitter on July 16, approximately 130 accounts of high-profile verified users (those Twitter accounts that you see with the blue check mark) were taken over by the hackers with tweets asking people to send bitcoin, with the promise that the high-profile user would double the amount to be given to a charity. The bitcoin address was fraudulent, the tweets were not sent by the actual users, and the hackers were able to collect more than $118,000 in bitcoin.

The NYDFS began its investigation because the cryptocurrency companies are regulated entities. According to the report, the department instructed the cryptocurrency companies to block the hackers’ bitcoin addresses if they hadn’t already done so. This move prevented over a million dollars’ worth of fraudulent bitcoin transfers.

We write all the time about the critical importance of cybersecurity practices and protocols such as multifactor authentication, employee training regarding phishing, and using secure passwords. The general consensus appears to be that the Twitter hack was not a sophisticated one, but that the hackers knew what they were after and knew how to accomplish their goal. The NYDFS report stated that “the Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.”

The New York Department of Financial Services (DFS) recently issued guidance to its regulated entities regarding heightened cybersecurity awareness as a result of the COVID-19 pandemic. DFS described three primary areas of heightened risk during this time: remote working, increased instances of phishing and fraud, and third-party risks.

With respect to remote working, DFS noted several areas of risk created by the shift to remote working. The prospect of more remote workers means additional security risks for all businesses. The DFS guidance focused on reminding regulated entities to use secure connections for remote workers – including the use of multi-factor authentication and VPN connections – to use secure wireless devices, and to provide guidance to employees regarding the secure use of wireless devices and other remote video conferencing tools.

DFS noted that there has been a significant increase in online fraud and phishing attempts and stated that the FBI has reported the use of fake emails purporting to be from the Center for Disease Control and Prevention (CDC), looking for charitable contributions or offering COVID-19 relief checks. DFS stated, “Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity.”

The third area DFS focused on was third-party risks. DFS suggested that regulated entities should coordinate with critical vendors to determine how they are adequately addressing new risks.

Finally, DFS issued a reminder that under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest.

On September 4, 2018, the third stage of compliance deadlines under the New York Department of Financial Services’ (DFS) expansive cybersecurity regulation went into effect. This deadline, scheduled for implementation 18 months after the regulation (23 NYCRR 500) initially went into effect in March 2017 triggers Covered Entities’ obligations under the regulation to:

  1. Maintain systems that include audit trails that can detect and respond to security incidents; (b) establish procedures (Section 500.06);
  2. Include in their cybersecurity program written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house applications and to evaluate the security of externally developed applications (Section 500.08);
  3. Establish policies and procedures for the periodic disposal of nonpublic information no longer necessary for business operations or for other legitimate business purposes (Section 500.13);
  4. Implement risk-based policies, procedures and controls designed for training and monitoring authorized users of systems (Section 500.14(a)); and
  5. Based on the company’s risk assessment, implement controls, including encryption, to protect nonpublic information both in transit over external networks and at rest (Section 500.15).

As noted in Section 500.15, the requirement to implement encryption for nonpublic data both in transit and at rest is dependent on the company’s risk assessment. The regulation requires that each Covered Entity develop its cybersecurity program around. To the extent the company determines that encryption is not feasible, the regulation permits Covered Entities to implement alternative controls reviewed and approved by the Company’s Chief Information Security Officer.

Under the regulation, Covered Entities are required to certify compliance on an annual basis, with the next scheduled certification deadline set for February 15, 2019. The final deadline under the regulation is scheduled for implementation on March 1, 2019, and will require Covered Entities to implement a Third-Party Service Provider Security Policy as mandated under Section 500.11 of the regulation.

The New York Department of Financial Services (DFS) issued new regulations requiring every consumer credit reporting agency that “assembles, evaluates, or maintains a consumer credit report on any consumers located in New York State register with the Superintendent of the Department of Financial Services.”

As a result of credit reporting agencies’ new status of having to register with DFS, those agencies are subject to annual reporting and enforcement by DFS.

It also deems credit reporting agencies to be covered entities under the NY DFS Cybersecurity Regulations, with transition periods for compliance—October 1, 2018, April 1, 2019, and October 1, 2019. This means that a consumer credit reporting agency is required to have policies and procedures in place to assess and respond to cyber risks, as well as certify to DFS that it has implemented a cybersecurity program just like financial institutions.

On March 1, 2018, the New York Department of Financial Services (NYDFS) “cybersecurity regulations” (23 NYCRR Part 500) took effect, placing a number of cybersecurity requirements on banks, insurance companies, and other financial services institutions and licensees regulated by the NYDFS (“Covered Entities”).

To aid in compliance with the regulation, the NYDFS recently added new guidance regarding Covered Entitles to its Frequently Asked Questions. The FAQs were last updated in December 2017, and the revisions include four new questions, which are summarized below:

  1. Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500?

An Exempt Mortgage Servicer “will not fit the definition of a Covered Entity…” However, the NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.”

  1. Are Not-for-profit Mortgage Brokers Covered Entities under 23 NYCRR 500?

Yes. Not-for-profit Mortgage Brokers are Covered Entities under 23 NYCRR 500.

  1. Do Covered Entities have any obligations when acquiring or merging with a new company?

 NYDFS provides the following guidance regarding mergers and acquisitions: “When Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how [various regulatory requirements] apply to a particular acquisition. Some important considerations include, but are not limited to, the type of business of the target company, the target company’s risk for cybersecurity including its availability of personally identifiable information, the safety and soundness of the Covered Entity, and the integration of data systems.” NYDFS also emphasizes the need to have a serious due diligence process with cybersecurity being a serious priority throughout the acquisition process.

  1. Are Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities?

Yes. Both HMOs and CCRCs are Covered Entities. As detailed in new FAQ 4, HMOs and CCRCs are Covered Entities subject to DFS authority by virtue of New York’s Public Health and Insurance laws.

The NYDFS Cybersecurity FAQs are available here.

On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements:

23 NYCRR 500 §§:

  • 04(b): Chief Information Security Officer (“CISO”) – Each Covered Entity must have designated a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks.
  • 05:  Penetration Testing and Vulnerability Assessments – The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s risk assessment. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessment.
  • 09: Risk Assessment – Each Covered Entity shall conduct a periodic risk assessment of the Covered Entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented.
  • 12: Multi-Factor Authentication –  Based on its risk assessment, each Covered Entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access. Multi-factor authentication shall be used for any individual accessing the Covered Entity’s internal networks from an external network.
  • 14(b): Training and Mentoring – Each Covered Entity shall provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its risk assessment.

A PDF containing detailed descriptions for each requirement is found here.

On February 15, 2018—that is, today—banks, insurance companies and other financial services institutions and licensees regulated by the New York Department of Financial Services (DFS) are required to file their first certification of compliance with DFS’s far reaching cybersecurity regulation (23 NYCRR Part 500) (the “Regulation”).

The Regulation, which became effective on March 1, 2017, is touted as being the first cybersecurity regulation in the nation, requiring significant operational, technology and reporting changes in order for entities covered by the Regulation (Covered Entities) to comply. Covered Entities are required to electronically file a certification statement through the DFS cybersecurity portal confirming the company’s cybersecurity program met the Regulation’s requirements for the prior calendar year. The deadline is today. Have you filed?

For more information on the Regulation and additional upcoming deadlines, click here.