Ask Tim; Cyber

New DFS Cybersecurity Guidance Explained

Abstract: What the new DFS third-party service provider (TPSP) letter means and how your agency may respond Body: ​The New York State Department of Financial Services (DFS) issued new cybersecurity guidance for regulated entities, including insurance agencies, focused on third-party service provider (TPSP) oversight under the state's financial services cybersecurity regulation.The update doesn't add new requirements but clarifies how agencies may want to manage vendors with access to nonpublic information.What DFS Section 500.11 RequiresInsurance agencies and other covered entities must maintain written TPSP cybersecurity policies and procedures that address:Identifying your third-party service providersSetting minimum cybersecurity standardsPerforming due diligence on vendor securityPeriodically reassessing each TPSP's controlsThese…

Continue ReadingNew DFS Cybersecurity Guidance Explained

DFS Warns of Cybersecurity Risk from Cisco Devices

Abstract: Authorities have found Cisco’s ASA (Adaptive Security Appliances) and Firepower devices, which many organizations use as part of their network security, to have critical weaknesses. Body: The New York State Department of Financial Services (DFS) is warning the entities it regulates about a serious new cybersecurity threat affecting certain Cisco firewall devices. Many companies use them to protect their networks. Attackers are actively exploiting a “zero-day” vulnerability — a flaw that criminals are using before the vendor provides a fix — to break into systems and potentially steal data or disrupt operations.What’s HappeningAuthorities have found Cisco’s ASA (Adaptive Security Appliances) and Firepower devices, which many organizations…

Continue ReadingDFS Warns of Cybersecurity Risk from Cisco Devices

REMINDER: Cybersecurity Requirements Coming Nov. 1

Abstract: There's one last deadline coming up for insurance agencies and others subject to New York's cybersecurity requirements for financial services companies regulation, Body: ​There's one last deadline coming up for insurance agencies and others subject to New York's cybersecurity requirements for financial services companies regulation, By November 1 of this year, all businesses covered by the regulation must implement policies and procedures to create and maintain inventories of their computerized assets. We have created a Microsoft Excel workbook for members to download and use to meet this requirement.Also by November 1, all covered entities must implement multi-factor authentication for all remote access to the agency's…

Continue ReadingREMINDER: Cybersecurity Requirements Coming Nov. 1