New York DFS Issues Rare Cybersecurity Industry Letter; Pushes Back Certification Deadline

Following recent developments in Iran, the New York Department of Financial Services, on January 4, 2020, issued a “Cybersecurity Risk Alert” Industry Letter warning of a heightened risk of cyberattacks from the Iranian government.  The issuance followed similar warnings from the U.S. Department of Homeland Security.

DFS pointed to previous attacks against the United States and financial services industry, including US banks.  A number of individuals previously were indicted in this regard.  The federal government in recent years also has advised of increases in malicious activity from Iran.

DFS indicated there was no specific threat, but advised regulated entities to be vigilant, noting that Iran often conducts hacking techniques like “email phishing, credential stuffing, password spraying, and targeting of unpatched devices.”  DFS also recommended addressing vulnerabilities, updating security controls, remaining alert even outside of business hours (when Iranian hackers are known to attack), and notifying DFS quickly of any noteworthy attacks.  Many of these steps are expressly required in New York’s cybersecurity regulation. 

The issuance, the first of its kind in many years, highlights DFS’s emphasis on its cybersecurity regulations, and raises the question of what expectations DFS will have on regulated entities going forward.  Such entities would do well to take the issuance into consideration when conducting operations.

DFS also has pushed back the deadline for filing Compliance Certifications.  The new deadline is April 15, 2020.

Garris Horn frequently provides advice on DFS initiatives, state agency guidance, and cybersecurity.  For more information, or to discuss related matters, contact Troy Garris directly at 301-461-8952 or troy@garrishorn.com.