* On January 4, 2020, the New York State Department of Financial Services, issued a "Cybersecurity Risk Alert" ("Cyber Alert") to all DFS regulated entities. The Cyber Alert arose in response to media reports of a heightened risk of Iranian cyber attacks given rising tensions between the U.S. and Iran. In its Cyber Alert, DFS referred to past incidents regarding hacking of U.S. bank accounts and cautions "all regulated entities [to] heighten their vigilance against cyber attacks." Among other measures, DFS advises that all vulnerabilities should be remedied, employees should be properly trained to handle phishing attacks, and disaster recovery plans should be updated. Of course, any incidents or threats should be immediately reported.
As a reminder, DFS' cybersecurity regulation, 23 NYCRR 500, became effective on March 1, 2017 with an initial compliance deadline of March 1, 2019. It requires regulated entities to have a cybersecurity program in place. Even those entities that may be exempt, must still adhere to a cybersecurity program (with certain regulatory requirements) and file an annual Certification of Compliance. Of note, DFS is extending the deadline for filing the Certification of Compliance from February 15th of each year to April 15th of each year. Thus, as of 2020, the Certification of Compliance for calendar year 2019 must be filed between January 1, 2020 and April 15, 2020.
DFS' Cyber Alert is a strong reminder that regulated persons and entities should not only have a regulatory compliance policy in place, but all entities should be adequately prepared and staffed to handle cyber breaches. In fact, the Cyber Alert reminds regulated entities that "[i]t is particularly important to make sure that any alerts or incidents are responded to promptly even outside of regular business hours--Iranian hackers are known to prefer attacking over the weekends and at night precisely because they know that weekday staff may not be available to respond immediately." (Emphasis added). As such, having a reliable response plan for weekends and nights when staff may not ordinarily be readably available would presumably be a best practice.
DFS' Cyber Alert came just days before the Cybersecurity and Infrastructure Security Agency (CISA)...