From: New York State Department of Financial Services
To: All Individuals and Entities Regulated by the New York State Department of Financial Services
Re: Impact to Financial Sector of Ongoing Global Conflicts
The New York State Department of Financial Services (the “Department”) is issuing this guidance (“Guidance”) to all individuals and entities regulated by the Department (“regulated entities”) to reiterate the importance of adhering carefully to U.S. sanctions, as well as to New York State and Federal laws and regulations, including Department cybersecurity and virtual currency regulations set forth in 23 NYCRR Part 500 and 23 NYCRR Part 200, respectively. This Guidance highlights steps regulated entities should take to prepare for an increased threat of cybersecurity attacks, in light of ongoing global conflict. The Department understands that not every measure applies to every regulated entity, however in the interest of transparency and as a means of helping to focus regulated entities’ attention on certain key controls, the Department is sharing this vital information with all regulated entities.
The Department will provide further guidance to regulated entities as necessary.
CYBERSECURITY
Escalating global conflict significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns.
Regulated entities should review their cybersecurity programs to ensure full compliance with the Department’s cybersecurity regulation (23 NYCRR Part 500). They are encouraged to pay particular attention to core cybersecurity hygiene measures like multi-factor authentication, privileged access management, vulnerability management, and disabling or securing remote desktop protocol access, each of which helps to prevent cybersecurity threats and mitigate the impact of a cyber event. In addition, regulated entities should:
- Review their risk assessment(s) to account for recent changes in the cyber-risk landscape.
- Monitor and regularly assess risks presented by third party service provider arrangements.
- Review, update, and test their incident response and business continuity plans, and ensure that the plans affirmatively address destructive cyberattacks such as ransomware.
- Re-evaluate plans to maintain essential services, protect critical data, and preserve customer confidence, considering the increased threat of extended outages and disruption.
- Implement and continuously update risk-based controls designed to detect unauthorized or anomalous activity, such as Endpoint Detection and Response and Security Information and Event Management tools.
- Conduct a full test of the ability to restore from backups.
- Provide additional cybersecurity awareness training and reminders for all personnel.
Regulated entities should also closely track guidance and alerts from the Cybersecurity and Infrastructure Security Agency (“CISA”) and relevant Information Sharing and Analysis Centers (“ISACs”).
Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR § 500.17(a) as promptly as possible, and within 72 hours in any event, via the secure Department Portal, which can be accessed from the Cybersecurity Resource Center. Regulated entities should also immediately report cybersecurity events to law enforcement, such as to the FBI, including athttps://www.ic3.gov/, and to CISA at https://myservices.cisa.gov/irf or (844) Say-CISA (844-729-2472).
Read the rest of the letter at NYDFS.