The New York Department of Financial Services (NYDFS) issued a bulletin on March 3, warning regulated entities of the increasing risk of cyber-attacks amid escalating global conflict and advised heightened vigilance.
Although the warning didn’t concern a specific coordinated threat targeting the New York financial services industry, the NYDFS nonetheless pointed to recent events as reason for regulated entities to bolster their cybersecurity risk management practices. The bulletin also emphasized the importance of maintaining compliance with NYDFS cybersecurity regulations.
The bulletin did not impose any new requirements for regulated entities. However, the DFS used the bulletin to highlight the following best practices for regulated entities to consider in light of the heightened risk environment.
- Promptly identify and remediate known vulnerabilities including through monitoring authoritative sources such as the Known Exploited Vulnerabilities Catalog.
- Prepare for disruptive and destructive cybersecurity incidents by reviewing and testing operational resilience procedures to protect and restore critical functions, information systems, and nonpublic information.
- Review personnel and customer communication strategies to confirm they are sufficient to address prolonged system and service disruptions.
- Enhance monitoring for suspicious and unauthorized activity on information systems.
- Ensure user and service account privileges for accessing and maintaining information systems, including webservers and databases, follow the principle of least privilege.
- Protect against code injection attacks by restricting and validating user inputs prior to forwarding to databases.
- Confirm information system, account, and authentication settings are securely configured.
- Monitor financial transactions, including virtual currency business activity, to ensure compliance with applicable orders and guidance on sanctions and anti-money laundering.
This is not an exhaustive list of steps entities may take to protect their information systems and nonpublic information. The NYDFS urges regulated entities to consider taking additional steps to manage their unique cybersecurity risks.