COVID-19 has disrupted normal operations in the financial services industry. At a time when employees are geographically scattered and targeted by cybercriminals, businesses face extraordinary security challenges, while, at the same time, having to deal with guidelines from the New York Department of Financial Services (NYDFS), the Financial Industry Regulatory Authority (FINRA) and the SHIELD Act.
This heightened risk of cybersecurity incidents paired with new guidance for safeguarding the organization has many financial services firms struggling to understand how their existing compliance obligations overlap with the new guidance.
Here is a brief overview:
On April 13, NYDFS published new guidance on addressing cybersecurity risks heightened by COVID-19. The updated guidance focuses on three areas of risks: Remote working, increases in phishing and fraud, and third-party security risks as well as secure remote access, including the use of multi-factor authentication, secure VPN capabilities, and encryption of data in transit.
The COVID-19 guidance also reminds regulated entities that cybersecurity events must be reported to the agency “as promptly as possible and within 72 hours at the latest.”
FINRA published notices March 9 and March 26 encouraging firms to assess their BCPs for flexibility and security requirements needed to operate during a pandemic and listing the security measures to consider as firms respond to COVID-19.
In particular, the new notices advise businesses on establishing processes to supervise remote workers. They suggest that remote-communications technologies and employee home internet connections be tested to ensure they can capably connect to critical business systems.
The New York SHIELD Act, an update to New York’s data security law that went into effect on March 21, 2020, requires businesses that store or process electronic private information of New York State residents to adopt “reasonable” security safeguards. The act also stipulates that financial firms identify security program coordinators who are responsible for identifying current risks and assessing the ability of existing safeguards to control these risks.
This is just a brief overview of the requirements that firms are facing. Sorting out this guidance and all the requirements can be tricky, ACE IT Solutions’ compliance and risk management experts can help. Contact ACE IT Solutions at 646.558.5575 or firstname.lastname@example.org to set up a consultation.