Cybersecurity

On March 9, 2021 NYDFS issued another cybersecurity alert to regulated entities. It disclosed that in recent days thousands of organizations were compromised via zero-day (newly discovered) vulnerabilities in the Microsoft Exchange Server. Microsoft made patches available for these vulnerabilities on March 2 but many organizations apparently were compromised before the patches were either available or applied. NYDFS is urging all regulated entities with vulnerable Microsoft Exchange services to act immediately by patching or disconnecting vulnerable servers. CISA has also released a current activity update outlining how to search for the type of compromise identified.

The alert may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103092

On March 30 2021 NYDFS issued a followup cybercrime alert: “This cybercrime campaign is a serious threat to the personal information of New Yorkers, and we urge all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information. All financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented [] the robust access controls required by DFS’s cybersecurity regulation, 23 NYCRR 500.”

https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210330_cyber_alert_followup