Both the New York State Department of Financial Services (“DFS”) and the Securities and Exchange Commission (“SEC”) have warned financial entities that Russia’s invasion of Ukraine will likely result in an elevated number of cyber-attacks and malicious cyber activity directed at the United States financial sector. In support, the agencies cite Russia’s past behavior of spillover cyber-attacks and direct attacks in retaliation for sanctions and, thus, recommend a series of actions for financial entities.
Specifically, the SEC cites the Cybersecurity & Infrastructure Security Agency (“CISA”) recommendation for an enhanced cybersecurity posture of “Shields-Up.” Please see https://www.cisa.gov/shields-up. Recommended actions from SEC and CISA, include, but are not limited to: (1) assessing whether any business is conducted with Ukrainian companies and if so, to put additional security in place to monitor, inspect, and isolate traffic from those companies, (2) validating that all remote access requires multi-factor authentication, (3)disabling, if not done so already, all ports and protocols that are not essential for the business, (4) confirming that your entire network is protected by antivirus/antimalware software, (5) testing backup and restoration procedures to protect against ransomware and confirm that backups are isolated from network connections. Please see the following link for the full list. https://www.cisa.gov/shields-up
The guidance from DFS was similar and it also recommended multi-factor authentication, testing backups, and ensuring an updated incident response plan. In fact, DFS cited that entities should also follow the CISA guidance referenced above and stay updated with its recommendations. Notably, DFS also stated that entities should “implement practices not already in place in the DFS’s June 2021 Ransomware Guidance, which sets forth key controls that reduce the risk of destructive cyber-attacks.” DFS is emphasizing this guidance for two reasons. First, entities should implement the practices given the heightened risks asscociated with Russia’s invasion, and second, DFS, in the near future, will be confirming whether entities did so. Please see the DFS June 2021 guidance here – https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210630_ransomware_guidance
In sum, entities should take the time now to prioritize a thorough review and confirmation of cybersecurity practices given the increased cyber-risk. Entities should also take the time to thoroughly document such review and confirmation. That will ensure the recommended steps are complete as well as help mitigate future regulatory risk when your cybersecurity practices are scrutinized by a respective agency.