Tech & Sourcing @ Morgan Lewis


New York’s Department of Financial Services (DFS) issued guidance on April 13 alerting regulated entities of the significant increase in cybercrime during the coronavirus (COVID-19) pandemic.

Specifically, DFS noted several cybersecurity risks resulting from the realities of a remote workforce. With the increase of remote working, companies have issued new devices to employees and in many cases allow employees to use their personal devices to remotely access company information. These practices understandably subject companies to increased risk of phishing attacks and the leak of confidential information. Remote connections need to be as secure as possible using mechanisms like Multi-Factor Authentication and secure VPN connections so that data is safely and properly encrypted in transit. Regulated entities should be sure that all devices have the necessary and proper security software and that employees are trained properly on how to use applications securely.

DFS also noted that the pandemic has led to a greater risk for online fraud and phishing attempts. One phishing scheme DFS highlighted as part of the guidance is the criminal use of fake emails looking for charitable donations to the Centers for Disease Control and Prevention. In using this example, DFS noted that it is imperative that regulated entities remind their employees to be vigilant and on the alert for these types of fraudulent and phishing emails. Without in-person contact, authentication is more important than ever.

Finally, DFS used the guidance to remind all regulated entities of their obligation to report any covered Cybersecurity Event to DFS as promptly as possible and within 72 hours at the latest.