DFS: What To Do When Cyber Threats Increase
The New York State Department of Financial Services (DFS) recently released new guidance to help insurance agencies and other entities prepare for times when cyber threats become more dangerous. The guidance does not create new rules, but it does explain important steps organizations should consider taking to better protect themselves.
The guidance explained that a heightened threat environment happens when the risk of cyberattacks is much higher than normal. This can happen because of major world events, such as wars or political conflicts (for example, the ongoing conflict between the U.S. and Iran), or because of modern technologies that enable attackers to find and exploit weaknesses in computer systems more easily. DFS specifically mentioned advanced artificial intelligence (AI) tools as an example of technology that could increase cyber risks.
The guidance groups its recommendations into three areas:
Make it harder for attackers to infiltrate your systems.
You can do this by:
- Strengthening multi-factor authentication (MFA).
- Limiting who can access important systems.
- Separating networks so attackers cannot easily move from one system to another (if your agency has multiple networks).
- Carefully checking and controlling third-party software and services (for example, agency management systems or accounting software.)
These steps help reduce the number of ways attackers can break in.
Prepare to spot cyber threats quickly.
To do this:
- Keep security software (anti-virus, anti-malware, and similar programs) updated.
- Monitor systems for unusual activity.
- Train employees to recognize cyber threats and scams.
- Review media reports of new threats regularly.
- Engage an information technology consultant who can inform you about network security.
- Communicate often with your vendors and service providers, such as your agency management system provider.
The faster you find a problem, the faster you can respond and limit the damage.
Prepare to recover from successful attacks.
No defense is absolute. Despite your best efforts, a cybercriminal may find a way to access your systems and data. If you have a disaster recovery plan for coping with fires, hurricanes, and winter storms, make cyber attack recovery part of it.
Things to consider:
- Maintaining tested backups of important data (this is essential for a speedy recovery.)
- To the extent you have time, practicing recovery procedures regularly.
- Preparing for long-lasting disruptions. Even if your systems aren’t compromised, a utility or vendor you rely on might be attacked and shut down for a long time.
- Review and update response plans as threats change.
You want to be able to keep the agency running and recover as quickly as possible after an incident.
DFS issued this guidance alongside a separate advisory about advanced (so-called “frontier”) AI models. By their nature, AI models constantly learn. Regulators are concerned that future AI systems could learn how to discover software weaknesses much faster than before. Cyber criminals will take advantage of this knowledge. Consequently, you may need to patch vulnerabilities more quickly and pay closer attention to cybersecurity risks.
The new DFS guidance sends a clear message:
Normal security practices will not be enough when cyber threats increase.
Take extra precautions, improve monitoring, and strengthen your recovery plans. The guidance is not a new legal requirement, but DFS will expect all its regulated entities, including insurance agencies, to consider these measures when cybersecurity risks grow.
Topics
