Industry Guidance & Letters

On January 12, 2024, The New York State Department of Financial Services issued a cybersecurity alert regarding self-service password reset (SSPR) features. It warned that some organizations' SSPR systems lack secure authentication, which can pose risks. For instance, using email addresses or mobile phone numbers as authentication factors can be vulnerable to attacks such as SIM-swapping. The alert advised implementing layered controls like mobile device management, monitoring SSPR attempts, and limiting user access to SSPR. It also urged regulated entities to report cybersecurity incidents and extortion payments via the DFS Portal.

On December 27, 2023, The New York State Department of Financial Services (DFS) issued guidance to Chief Information Security Officers about a cybersecurity incident involving First American Financial Corporation. First American warned recipients to be cautious of emails purportedly from them, advising against clicking on unknown or suspect links. DFS emphasized the importance of remaining cautious and vigilant with email links and attachments.

On November 15, 2023, The New York State Department of Financial Services issued updated guidance for Virtual Currency Business Entities, incorporating feedback from a public comment period. Key points include obtaining DFS approval for coin-listing policies, providing written notice of self-certified coins, and creating separate coin-delisting policies. VC Entities must meet DFS deadlines for policy submission and adhere to governance, process, and execution standards outlined in the guidance. Additionally, the guidance reminds entities of their obligation to comply with the DFS Cybersecurity Regulation (23 NYCRR Part 500) and other applicable laws and regulations.

On November 14, 2023, The New York State Department of Financial Services (DFS) issued a cybersecurity threat alert regarding the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and Gateway products.

This vulnerability allowed cyber actors to take control of affected systems, leading to session hijacking and targeted attacks. Citrix advises immediate installation of recommended builds and termination of active sessions.

Another vulnerability, CVE-2023-4967, has been identified in customer-managed instances of Citrix NetScaler ADC and Gateway. DFS urged regulated entities to assess the risk to their organization and take mitigation measures promptly. Incidents meeting the criteria of 23 NYCRR Section 500.17(a) must be reported via the secure DFS Portal within 72 hours. Additionally, cyber extortion payments must be reported within 24 hours from December 1, 2023, with a description of the rationale provided within 30 days. 

On June 2, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and others announced that Progress Software (“Progress”) had released a security advisory for a vulnerability in MOVEit Transfer—a managed file transfer software.

According to Progress’s website, a SQL injection vulnerability had been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. This vulnerability could lead to escalated privileges and potential unauthorized access to the environment. If you were a MOVEit Transfer customer, Progress recommended taking immediate action, including the mitigation measures listed on their website and patching affected versions. All regulated entities were urged to promptly assess risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and take action to mitigate risk.

Regulated entities must report cybersecurity events that met the criteria of 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest via the secure DFS Portal, which could be accessed from DFS’s Cybersecurity Resource Center. DFS considered evidence of unauthorized access to information systems, such as webshell installation, even if there had been no malware deployed or data exfiltrated, a reportable Cybersecurity Event pursuant to 23 NYCRR Section 500.17(a)(2).

On December 7, 2021, the NYDFS posted guidance on Multi-Factor Authentication (MFA); MFA had long been recognized as a crucial aspect of cybersecurity, even back in 2016 and 2017 when the Department of Financial Services (DFS) drafted the Cybersecurity Regulation. MFA was explicitly required by the Regulation due to its importance, a stance that hasn't changed over time, especially with the rise in cybercrime.
MFA weaknesses have consistently been exploited in cyber incidents, with gaps often found in its implementation or configuration. These gaps have led to consequences, impacting millions of consumers. DFS has been actively enforcing MFA requirements, resolving enforcement actions against companies failing to implement it effectively.

he Cybersecurity Regulation mandates MFA for remote access, emphasizing its necessity in managing unauthorized access risks. Despite exemptions for small businesses, the increase in cybercrime has made MFA indispensable for all entities.

Common MFA problems include legacy systems lacking MFA support, insufficient coverage for key applications, and poor management of exceptions. DFS recommends using MFA for privileged accounts and being cautious of different MFA methods' vulnerabilities.
For small businesses, lacking MFA has made them prime targets for cybercriminals. DFS recommends implementing MFA, offering resources like the Cybersecurity Toolkit for Small Business to facilitate the process.

On October 22, 2021, the DFS published guidance reagrding the adoption of an 'Affiliate's' Cybersecurity Program. The Cybersecurity Regulation permits Covered Entities to adopt “the relevant and applicable provisions” of the cybersecurity program of an affiliate[4] provided that such provisions satisfy the requirements of the Cybersecurity Regulation. 23 NYCRR § 500.2(c). Many Covered Entities are affiliates of other companies – parents, subsidiaries, etc. – and often share information technology and cybersecurity resources and programs with those affiliates. Adoption can occur, for instance, when a DFS-licensed subsidiary uses a shared service provided by the parent corporation. Examples of Covered Entities that have adopted all or part of an affiliate’s cybersecurity program include the New York subsidiary of a national insurance company, a virtual currency entity created by a corporate parent specifically to engage in that business activity, and the New York branch of a foreign bank.

On June 30, 2021, DFS posted guidance regarding the increasing amount of ransomware attacks on US institutions. Ransomware posed a particularly strong concern for financial institutions, with the potential to result in financial crisis. The Department of Financial Services (DFS) underscored the exponential increase in ransomware attacks, which led to a surge in cybercrime costs and impacted the cyber insurance landscape. Despite the escalating ransom payments made by victims, DFS strongly advised against such actions due to associated risks, urging instead the implementation of robust cybersecurity controls outlined in their guidance to mitigate the likelihood of such attacks. These measures encompassed email filtering, patch management, multi-factor authentication, and privileged access management, among others, to bolster resilience against ransomware threats.

DFS emphasized the imperative for institutions to develop comprehensive incident response plans and maintain segregated backups as crucial preparatory measures against potential ransomware incidents. Moreover, DFS highlighted the need for collaborative efforts within the industry to address the evolving ransomware landscape effectively. By adhering to these guidelines and fostering a proactive cybersecurity posture, financial entities could fortify their defenses and minimize the risk of falling victim to ransomware attacks, thereby safeguarding both their operations and the broader financial ecosystem.
 

On March 9, 2021, the DFS posted guidance to Officers of Covered Entities regarding four vulnerabilities found in the Microsoft Exchange server. 
In recent days, thousands of organizations were compromised via zero-day vulnerabilities in Microsoft Exchange Server, despite patches being made available by Microsoft on March 2, 2021. The Department of Financial Services (DFS) urgently advised all regulated entities with vulnerable Microsoft Exchange services to take immediate action by either patching or disconnecting vulnerable servers and utilizing Microsoft's tools to address any compromise resulting from these vulnerabilities. Additionally, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) issued guidance on searching for compromises related to these vulnerabilities.

Microsoft had reported four vulnerabilities affecting on-premises versions of Microsoft Exchange Server, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, which were actively exploited before the patches were released. CISA recommended immediate patching and advised on preserving forensics of cyber events, highlighting the deployment of web shells by threat actors for persistent network access. Regulated entities were urged to assess the risk to their systems and consumers, track developments related to the compromise, and promptly report cybersecurity events as required by regulation.