Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

NYDFS encourages regulated entities to prepare for cyber attacks

State Issues State Regulators NYDFS Privacy/Cyber Risk & Data Security

State Issues

On January 4, NYDFS issued an Industry Letter warning regulated entities about the “heightened risk” of cyberattacks by hackers affiliated with the Iranian government following the killing of Iranian official Qasem Soleimani, and strongly encouraging entities to undertake preparations to ensure quick responses to any suspected cyber incidents. Specifically, NYDFS recommends that regulated entities (i) patch/remediate all vulnerabilities (especially publicly disclosed vulnerabilities); (ii) ensure employees are adequately able to handle phishing attacks; (iii) “fully implement multi-factor authentication”; (iv) “review and update disaster recovery plans”; (v) and quickly respond to further alerts from the government or other reliable sources, even outside regular business hours. The letter notes that NYDFS’ cyber regulation 23 NYCRR 500.17 (previously covered by InfoBytes here), requires regulated entities to notify NYDFS “‘as promptly as possible but in no event later than 72 hours’ after a material cybersecurity event.”