DFS Issues Cybersecurity Risk Alert

On January 4, 2020, the New York State Department of Financial Services, issued a “Cybersecurity Risk Alert” (“Cyber Alert”) to all DFS regulated entities.  The Cyber Alert arose in response to media reports of a heightened risk of Iranian cyber attacks given rising tensions between the U.S. and Iran. In its Cyber Alert, DFS referred to past incidents regarding hacking of U.S. bank accounts and cautions “all regulated entities [to] heighten their vigilance against cyber attacks.”  Among other measures, DFS advises that all vulnerabilities should be remedied, employees should be properly trained to handle phishing attacks, and disaster recovery plans should be updated.  Of course, any incidents or threats should be immediately reported.

As a reminder, DFS’ cybersecurity regulation, 23 NYCRR 500, became effective on March 1, 2017 with an initial compliance deadline of March 1, 2019.  It requires regulated entities to have a cybersecurity program in place.  Even those entities that may be exempt, must still adhere to a cybersecurity program (with certain regulatory requirements) and file an annual Certification of Compliance.  Of note, DFS is extending the deadline for filing the Certification of Compliance from February 15th of each year to April 15th of each year.  Thus, as of 2020, the Certification of Compliance for calendar year 2019 must be filed between January 1, 2020 and April 15, 2020.

DFS’ Cyber Alert is a strong reminder that regulated persons and entities should not only have a regulatory compliance policy in place, but all entities should be adequately prepared and staffed to handle cyber breaches.  In fact, the Cyber Alert reminds regulated entities that “[i]t is particularly important to make sure that any alerts or incidents are responded to promptly even outside of regular business hours – Iranian hackers are known to prefer attacking over the weekends and at night precisely because they know that weekday staff may not be available to respond immediately.”  (Emphasis added).  As such, having a reliable response plan for weekends and nights when staff may not ordinarily be readably available would presumably be a best practice.

DFS’ Cyber Alert came just days before the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Home Land Security, issued Alert (AA20-006A) on January 6, 2020, to assist the U.S.’s cybersecurity community “in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm.” Among other things, CISA recommends organizations increase awareness and vigilance and confirm reporting processes and incident response plans. CISA provides many suggested courses of action for doing so, which may be helpful to regulated entities and can be found at www.us-cert.gov/ncas/alerts/aa20-006a.

In sum, DFS’ Alert is consistent with CISA’s recommendations to mitigate vulnerability and be prepared for incidents.  However, being regulatory compliant with a written plan and meeting DFS filing deadlines is not sufficient; regulated entities should revisit and update their plans and operate on high alert, and be adequately prepared to respond to a cyber attack at any time.

*This article is for information purposes only and is not intended to give legal advice. For more information about insurance regulatory or other legal issues, please contact the author at (212)941.5025 or gabay@gabaybowler.com.