Cyber

You Must Notify the DFS if your Agency Has Been Directly Impacted by the SolarWinds Espionage Attack

​On Friday, 12/18, the New York Department of Financial Services published an industry alert ​on the recently revealed SolarWinds/supply chain cyber espionage attack.  ​You should notify the Department if your institution was directly impacted by any of the affected SolarWinds Orion products or if your institution has been notified of an impact by any affiliate who has access to your network or your nonpublic information. The Department's cybersecurity regulation requires notice of any Cybersecurity Event that has “a reasonable likelihood of materially harming any material part of the normal operation(s)."  23 NYCRR 500.17(a)(2). Given the sophistication and persistence of the malware and the adversary, DFS asks any affected institution to file…

Continue ReadingYou Must Notify the DFS if your Agency Has Been Directly Impacted by the SolarWinds Espionage Attack

If you haven’t been hit by a BEC attack yet, there is a good chance you will be

​By Andrew Frisbie, Chief Information Security Office at LCG​What is a BEC attack?In the last several weeks, we have seen an increase in a type of cyber-attack called Business Email Compromise (BEC) – targeting businesses using Office (Microsoft) 365 email services. In this type of attack the objective is usually to influence your email communications for the purpose of convincing someone to divert payments (funds) to an illicit bank account or repository. Learning to protect your organization from BEC attacks is a cyber risk mitigation strategy against financial loss. Some examples from the past few weeks include:Company using custom email domain in Office 365 was spoofed…

Continue ReadingIf you haven’t been hit by a BEC attack yet, there is a good chance you will be

DFS Announces First Enforcement Action of NYS Cyber Regulation

​This week, the Department of Financial Services announced the first charges for violations of Reg 500, aka the Cyber Regulation. The Department alleges a laundry list of violations by First American Title Insurance Company, which resulted in the exposure of millions of customer documents.We have long speculated and advised you that DFS will not take violations of the Cyber Regulation lightly. Now, we have a bit more clarity: in this case, DFS holds that each instance of exposed customer information carries up to a $1,000 fine. Need a reason make sure your agency is in compliance? The DFS just gave you a billion reasons.The good news: Big I…

Continue ReadingDFS Announces First Enforcement Action of NYS Cyber Regulation