New York Department of Financial Services Issues Cybersecurity Threat Alert as Malicious Activity Rises

The New York Department of Financial Services (DFS) published an alert directed to all DFS-regulated entities specifically warning of a widespread cybersecurity threat involving social engineering of regulated institutions’ IT help desk personnel and call center personnel.

According to the alert, DFS has detected a trend in which threat actors have targeted IT personnel as a part of schemes to gain system access through password resets and diversion of multi-factor authentication (MFA) to new devices. According to DFS, threat actors have employed tactics including voice-altering technology and leveraging information found online about identities of individuals, in attempts to convince IT personnel at help desks and call centers to comply with fraudulent access requests.

DFS cautions all regulated entities to be on “high alert for suspicious communications” based on the observed threat actors’ recent activity. Entities are encouraged by DFS to:

  • implement secure controls for password changing and  MFA device configurations;
  • exercise caution in authenticating the identity of anyone who tries to change a password or MFA device; and
  • remain vigilant when receiving requests from individuals and vendors regarding system access. 

DFS included a link to guidelines published by the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA). The guidelines from CISA (CISA: Avoiding Social Engineering and Phishing Attacks) identify best practices to protect against these cyber threats, including:

  • Distinctions between common methods of social engineering employed by threat actors
  • Common indicators of malicious activity disguised as a legitimate communication
  • Proactive measures to minimize the risk of disclosing information and/or permitting access to threat actors
  • Guidance and resources on handling a cybersecurity compromise

In addition to the CISA guidelines, NYDFS has a publicly available Cybersecurity Resource Center with more information and guidance for DFS-regulated individuals and entities.

For More Information

If you have any questions about this blog post, please contact Michelle Hon DonovanAriel SeidnerMilagros Astesiano, any of the attorneys in the Privacy and Data Protection Group, or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This blog post has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm’s full disclaimer.

Texas Data Privacy and Security Act Coming July 1, 2024: What You Need to Know

In the absence of a federal comprehensive privacy law, states have been enacting their own in a sort of domino effect, creating a patchwork of compliance laws with their own nuances. The Texas Data Privacy and Security Act (TDPSA) is one of those new laws and goes into effect July 1, 2024, bringing Texas into the fold of U.S. states with a comprehensive data privacy law. While the TDPSA is similar to existing state data privacy laws, it has a unique threshold requirement that may broaden its reach compared to other states. Below are some key considerations that covered businesses should take into account to get ready for compliance with this upcoming new law. Read the full Alert on the Duane Morris website.

Comment Period Open for Defense Department’s Cybersecurity Maturity Model Certification Program Proposed Rule

On December 26, 2023, the Department of Defense (DoD) published its long-awaited proposed Cybersecurity Maturity Model Certification (CMMC) Program rule, which will impose comprehensive cybersecurity and compliance affirmation requirements on DoD contractors and subcontractors. Given that the eventual final rule could result in CMMC clauses in some DoD contracts as early as the first quarter of fiscal year 2025, interested parties are encouraged to submit comments on the proposed rule by February 26, 2024.

Ready the full Alert on the Duane Morris LLP website.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress