The New York State Department of Financial Services (DFS) today advised all entities it regulates to prepare for increased risks of cyber attacks resulting from recent global conflicts. The industry letter appears to have been prompted by the entry over the weekend of the United States into the conflict between Israel and Iran.
Parts of the letter focused on laws and regulations pertaining to virtual currencies and U.S. sanctions against certain countries. Much of it discussed cybersecurity precautions. “Escalating global conflict significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns," the letter said.
The department advised all entities to review their cybersecurity programs to ensure full compliance with the state’s financial services cybersecurity requirements regulation. They encouraged emphasis on multi-factor authentication (MFA,) management of system administrator accounts, and disabling or securing software that enables a person to remotely access and control a separate workstation.
Other measures the department recommended that apply to all entities, including insurance agencies that have limited exemptions from the requirements, include:
- Assessing their risks in view of the new threat level.
- Monitoring and assessing risks posed by third-party service providers.
- Testing the ability to fully restore systems from backup copies of data.
- Giving all employees additional cybersecurity awareness training and reminding them of the additional hazards resulting from world events.
In addition, even small agencies should have at least an informal plan for recovering from disasters such as fires, hurricanes, power and network outages, and cybersecurity attacks. This might include assignments of specific tasks to individuals, lists of staff personal phone numbers and email addresses, carrier contact information, and so on.
The department also suggested tracking guidance and alerts from government sources such as the Cybersecurity and Infrastructure Security Agency (CISA.) The letter also reminded entities of the requirement to notify DFS of certain cybersecurity incidents and to report them to appropriate law enforcement agencies such as the FBI and CISA.
We live in dangerous times where cyber criminals can shut down an insurance agency’s business. If you work with a technology consultant on cybersecurity, now would be a good time to check in for advice on how to protect your agency.