New York State Department of Financial Services (DFS) Acting Superintendent Kaitlin Asrow issued new guidance on May 21, identifying cybersecurity measures that DFS-regulated entities should consider adopting when facing a heightened threat environment.
One example given in the announcement is the ongoing geopolitical climate, which has the potential to increase the risk of cyberattacks or technological developments that materially change cybersecurity risks, such as the release of frontier artificial intelligence (AI) models. This situation may warrant stronger defensive measures and increased vigilance, DFS warned.
“This guidance gives our regulated entities actionable steps that can be taken when the threat environment intensifies,” Asrow said in a press release. “Each entity should assess their unique circumstances and operations to identify which steps are warranted.”
In the guidance, organizations and individuals regulated by the DFS are advised on actions to take when facing a heightened cybersecurity threat environment. This heightened environment is characterized by increased risks that could affect information systems and sensitive data. The guidance is meant to help with risk management and compliance but does not introduce new legal requirements.
The guidance includes a list of best practices for regulated entities to enhance cybersecurity, although adoption is not mandatory and should depend on each organization’s unique situation. Organizations need to assess specific threats, their information systems, supply chains and risks relevant to their sector before deciding on additional controls.
To reduce vulnerabilities, it is recommended that organizations quickly address known issues in their systems, limit access to necessary protocols and use secure methods for multifactor authentication. They should also strengthen network security, validate cloud configurations and ensure secure programming practices.
For improved detection and response to threats, organizations should ensure proper security controls are deployed, monitor activity for anomalies, and prepare staff to handle cybersecurity threats. Engaging with third-party services is also recommended to maintain awareness of risks.
To enhance their resilience, organizations are advised to routinely test their backup integrity, review incident response plans and ensure critical operations can continue if systems fail. They should also monitor financial transactions for compliance with relevant laws and guidance.