| The New York State Department of Financial Services (DFS) has cautioned the businesses it regulates that some remote technology workers may be secretly acting on behalf of the North Korean government. DFS issued the alert in a November 1 letter. Big I New York members who hire virtual assistants or other remote workers should take precautions to avoid hiring one of these individuals.
According to the letter, information technology (IT) workers operating on behalf of North Korea have used several tactics to get jobs with U.S. companies. These include posing as individuals from the U.S. or other countries, using false or stolen identities, or buying identities from U.S. based individuals.
The individuals often use virtual private networks (VPNs) to make it appear that they reside in the U.S. when they apply for remote jobs. Notably, they may also refuse to join in-person or video conference meetings. They may also have their new employer's computer equipment shipped to alternative locations just before they start work. This permits U.S. based co-conspirators to access the equipment.
DFS said that the Federal Bureau of Investigation (FBI) and the U.S. Department of State have issued advisories regarding these threats.
The letter advised regulated entities to:
- Make senior management, IT personnel, and human resources departments aware that this could happen.
- Conduct a thorough background check during the hiring process, possibly including live or video interviews.
- Track the locations of company-owned laptops and cellphones to ensure that they are delivered and remain at the residence address the employee provided.
- Limit remote employees' access to systems.
- Notify law enforcement and regulators promptly if they conclude that they've been victimized by one of these schemes.
The complete text of the letter, including links to the FBI and State Department alerts and the web address for reporting incidents, is on the DFS website.
|
|
The New York State Department of Financial Services (DFS) has cautioned the entities it regulates to be alert to cybersecurity risks resulting from using artificial intelligence (AI) technology. The department also described steps for reducing those risks. DFS responded in the October 16 industry letter to questions about the cyber risks from AI and what to do about them. The letter did not add new requirements to those in the department's cybersecurity regulation. Instead, it explained how entities should use the regulation's provisions to assess and address AI risks. THE RISKS: WHY YOU SHOULD BE AFRAID Among the risks the department highlighted were: Social Engineering: “Social engineering" is a cyber attack in which the attacker uses human interaction to obtain an organization's information or to compromise its information or computer systems. For example, a hacker may convincingly impersonate a manager within an organization. This person then convinces an employee to transfer funds to an illegitimate account. According to the letter, AI has made these attacks more effective. It said, “Threat actors are increasingly using AI to create realistic and interactive" so-called “deepfakes" (audio, video, and text communications that appear to be from an internal manager but are not.) Hackers deliver these communications by email, phone, text message, videoconferencing, and postings online. “For example," DFS said, “in February 2024, a Hong Kong finance worker was tricked into transferring $25 million to threat actors after they set up a video call in which every other person participating, including the Chief Finance Officer, was a video deepfake." Enhanced Cyber Attacks: AI can scan and analyze large volumes of data much faster than a human can. This enables hackers to use it to find and exploit security holes much more quickly. Once inside, they can use it to figure out how to best deploy malware in a network and steal information. They can also use it to quickly develop new versions of malware and ransomware that can elude security controls. Lastly, AI tools enable hackers who lack coding chops to develop and launch their own attacks. “This lower barrier to entry for threat actors, in conjunction with AI-enabled deployment speed," the letter said, “has the potential to increase the number and severity of cyberattacks, especially in the financial services sector, where the maintenance of highly sensitive NPI (non-public information) creates a particularly attractive and lucrative target for threat actors." Entities' Use of AI Tools: Products that use AI rely on collecting and processing large amounts of data. Some of this data will be NPI. A summary of the New York cybersecurity regulation is, “What you collect, you have to protect." Therefore, entities using AI products may have to protect much more information than they might have otherwise. That information could include biometric information (facial characteristics, fingerprints, etc.) Multi-factor authentication (MFA) systems use this information to verify a network user's identity. Hackers who steal it can use it to log into a network by impersonating a trusted user. Third Parties: Third party service providers and vendors may either provide data to the entity or have access to the entity's NPI. If they suffer cyber incidents, the entity's NPI and systems may be vulnerable to attack. THE CONTROLS: WHAT YOU CAN DO ABOUT THE RISKS The letter listed several procedures the regulation already requires that an entity can use to reduce the risks. - Include the potential for deepfakes and other AI threats when performing the annual risk assessment.
- Design the risk assessment to address:
- The entity's use of AI.
- AI technologies its third-party service providers and vendors use.
- Any vulnerabilities that might result from AI technologies and that could threaten the computer network and NPI.
- Update the entity's cybersecurity policies and procedures to reflect the threats uncovered during the assessment.
- Larger entities who do not qualify for a limited exemption must create and implement plans for investigating and mitigating cyber incidents. They must also have plans for incident response, business continuity, and disaster recovery. Limited exempt entities might want to give some thought to these subjects even though the regulation does not require them to create formal plans. Planning ahead means less flailing if an incident occurs.
- Create a workplace culture that includes cybersecurity awareness.
- When performing due diligence on third-party service providers, consider their uses of AI; the threats that could pose to them; and how cyber incidents they experience could impact your entity.
- Implement strong controls for access to the entity's network, starting with MFA. The regulation requires all entities to implement MFA by November 1, 2024. They should also include annual reviews of which network users have access to NPI and whether they still need it.
- Annual cybersecurity awareness training for all employees, including training on the risks of social engineering attacks. The regulation requires all entities to start doing this by November 1, 2024.
- Larger entities must have formal system monitoring tools in place. Limited exempt agencies should at least be alert to signs of unusual activity. They should also watch for employees using the system for purposes the agency has not approved.
- Place sensible limits on the amount of NPI the agency collects and retains. These will vary by the business needs of the agency. What you collect, you must protect, so do not retain more data than you want to protect.
AI technologies are here to stay, and their use will only grow with time. If your agency has not yet registered with technology consulting firm Catalyit, we urge you to do so now. They presented a series of webinars last spring that explain how using AI can benefit your business. There are plenty of benefits to using these technologies, but as with any other type of operation, there are risks. The DFS published this letter to make you aware of the risks and suggest ways to control them while you reap the benefits.
|
| The New York State Department of Financial Services (DFS) last week warned all financial services companies of a new cybersecurity threat targeting information technology (IT) help desks and service centers. A letter dated September 27, 2024 stated, "DFS has seen evidence that threat actors are targeting IT help desks and call centers using, among other tactics, voice-altering technology in conjunction with information obtained on the internet about the identities of personnel to convince help desks to reset passwords and divert multi-factor authentication (MFA) to new devices." DFS urged all entities it regulates to alert help desk and service center staff to be diligent in authenticating the identities of anyone who requests changes to authentication factors. While most Big I New York members do not have help desks, many do use insurance carrier call centers. You may find that the call centers' staff will take more steps to verify your identity when you contact them than they did before. This will likely be because of this new DFS alert. You should anticipate this when contacting them.
|
|
We want to remind all Big I New York members of the upcoming deadline for complying with new cybersecurity requirements. The New York State Department of Financial Services (DFS) last November 1 amended its Cybersecurity Requirements for Financial Services Companies regulation. That amendment included several changes. Some of the changes took effect immediately. The deadlines for others were this past spring, with the deadlines for the rest next month and next year. Many of the regulation's 24 sections do not apply to businesses that qualify for the “limited exemption." A business qualifies for the limited exemption if any one of the following three things are true about that business:
- The business and its affiliates have fewer than 20 employees and independent contractors.
- The business and its affiliates generated less than $7.5 million in gross annual revenue in each of the last three fiscal years from all operations (count only the New York State operations of affiliates.)
- The business and its affiliates have less than $15 million in year-end total assets.
Most Big I New York members qualify for the limited exemption. DFS sent an email to all New York licensed insurance professionals earlier this week reminding them of these deadlines. However, only two apply to all “covered entities" (the regulation's term for anyone with a New York banking, financial services, or insurance charter or license.) The other three apply only to businesses that do not qualify for the limited exemption and so-called “Class A companies" (very large companies with revenues in the tens of millions and more than 2,000 employees.)
The two November 1 deadlines that apply to all covered entities are: 1. Use multi-factor authentication (MFA) for any individual accessing the entity's information systems. However, agencies that qualify for the limited exemption must use it only for: - Remote access to the agency's computer systems.
- Remote access to third-party applications from which individuals can access non-public information.
- All “privileged accounts" (essentially system administrator accounts) other than service accounts that prohibit interactive login.
If your agency has not already implemented MFA and you need help, agency technology consulting firm Catalyit offers these resources:
Membership in Catalyit is free for Big I New York members, so we encourage all members to register. 2. Provide, at least annually, cybersecurity awareness training that includes social engineering for all personnel. The training should be updated as needed to reflect the risks the agency has identified during its annual cybersecurity risk assessment. The Compliance Resources page in the Cybersecurity section of our website lists these potential providers of cybersecurity awareness training. All covered entities, including agencies that qualify for the limited exemption, must comply with these requirements by November 1, 2024. The deadlines that apply only to larger organizations involve cybersecurity reports to an entity's senior governing body, changes to encryption requirements, and changes to incident response and business continuity management requirements. These requirements do not apply to agencies that qualify for the limited exemption. For more information: |
|
A South Carolina based wholesale insurance brokerage reported last week that they had suffered an undescribed cybersecurity incident. It closed the wholesaler for a substantial part of the week. Some Big I New York members have asked whether the New York financial services cybersecurity regulation obligates them to notify the state Department of Financial Services (DFS) about this incident. If your agency does business with that wholesaler, you may have the same question. Based on the information we have received and what the wholesaler has said on its website, we do not believe New York agencies have an obligation under the regulation to report this incident to the DFS. The wholesaler does, but the retail agency does not.
Section 500.17 of the regulation states: (a)
Notice of cybersecurity incident. (1) Each covered entity shall notify the superintendent electronically in the form set forth on the department's website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider. (2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable. The definitions in
Section 500.1 state: For purposes of this Part only, the following definitions shall apply: (a)
Affiliate means any person that controls, is controlled by or is under common control with another person. For purposes of this subdivision, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise. … (f)
Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. (g)
Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that: (1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body; (2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or (3) results in the deployment of ransomware within a material part of the covered entity's information systems. (m)
Person means any individual or entity, including but not limited to any partnership, corporation, branch, agency or association. … (s)
Third-party service provider(s) means a person that: (1) is not an affiliate of the covered entity; (2) is not a governmental entity; (3) provides services to the covered entity; and (4) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity. The incident at this wholesaler was clearly a “cybersecurity event" because it was a successful act to disrupt an information system. Mission accomplished. In addition, it was a cybersecurity event that occurred at a “third-party service provider" because the wholesaler does not have an ownership relationship with retail agencies, isn't a governmental entity, provides services to the retailers, and (I assume) has access to the retailer's
non-public information. That meets the first part of the definition of “cybersecurity incident." However, the incident does not fit the three other parts of the definition: - It impacts the retail agency but there is no indication (yet) that a report to law enforcement is necessary – the wholesaler said, “To date, there is no evidence that any data has been misused in any way." If the retailers' clients' private information has not been exposed, no report to law enforcement is necessary.
- It does not appear to have a reasonable likelihood of materially harming any material part of the retailer's normal operations, since nothing has been reported about the incident shutting down retailers.
- No ransomware has been deployed in retailers' computer systems.
Since the incident does not meet any of those three criteria, it is not a “cybersecurity incident." A cybersecurity event that is not a cybersecurity incident does not require a notice to DFS. That could change, especially if the wholesaler does eventually report that private data was exposed and they had to notify the police. Any future communications from them on this will be important.
|
| The New York State Department of Financial Services (DFS) this week unveiled a new model Cybersecurity Program Template for use by small businesses including insurance agencies. All independent insurance agencies should consider using this template as the model for their cybersecurity programs. New York's financial services cybersecurity regulation requires all agencies to implement cybersecurity programs. In a guidance letter dated May 13, 2024, the department stated that the model "prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the Cybersecurity Regulation." It also includes frameworks for developing and tracking:
- Asset inventories
- Risk assessments
- Multi-factor authentication exceptions, and
- Third-party service providers.
The template is available for you to download from the DFS website and at www.biginy.org/cyber.
|
|
The DFS regulated entities in the banking, financial services, and insurance sectors must complete the compliance filings that the financial services cybersecurity regulation requires by April 15. This year they will notice a change.. The DFS regulates entities in the banking, financial services, and insurance sectors. These entities must submit a statement by April 15 each year about the state of their compliance with the regulation's requirements. Before this year, they had to submit a statement that they were complying with them during the prior calendar year. An amendment to the regulation that took effect last November 1 expanded that requirement. Entities will have to complete and submit one of two forms: Your agency will complete and submit the first one if it “materially complied" with the regulation's requirements during the prior calendar year. The agency must base this on records that support the conclusion.
The agency must submit the second one If it did not meet the requirements in one or more sections of the regulation that apply to it. The person completing this form must: - Acknowledge that the agency did not “materially comply" with all the regulation's requirements during the prior year.
- Identify the sections the agency did not comply with.
- Describe what the agency failed to do and how big the failure was.
- Either affirm that the agency has since met the requirements or provide a timeline for eventual compliance.
The agency's highest-ranking executive and its chief information security officer (CISO) must sign whichever form the agency submits. If the agency does not have a CISO, the senior officer responsible for the agency's cybersecurity program must sign it instead. Most Big I New York members do not have a CISO. If the highest-ranking executive and the person responsible for cybersecurity are the same person, that person must sign it in both spaces. Your agency must retain the documents supporting its filing for five years. If you are one of the 92% of Big I New York members who qualify for the limited exemption, you must certify compliance or acknowledge noncompliance only with those sections of the regulation that apply to you. Two things that have not changed: - Your licensed employees who your agency's cybersecurity program covers do not have to submit either of these forms. They should have submitted a Notice of Exemption and given Section 500.19(b) as the reason.
- The regulation does not require the agency or its licensed employees to submit the Notice of Exemption again unless something has changed. An employee who changed employers or their name must submit a new one. So does an agency that grew too large to qualify under one of the three criteria for the limited exemption. If none of that is the case, the regulation does not require a Notice of Exemption every year. We have spoken with members who have done this unnecessary work.
More information is always available at: |
|
With the New York State Department of Financial Services' (DFS) recent adoption of the second amendment to the Cybersecurity Requirements For Financial Services Companies regulation, members have naturally been contacting us to ask what they're required to do. The overwhelming majority of Big I NY members qualify for the limited exemption. If you're agency is one of them, here are the sections of the regulation you must comply with regardless of your agency's size:
- Section 500.2, Cybersecurity Program - you must have a program in place to protect your computer network and any nonpublic information (NPI) stored on it. The program is made up of the devices you use, the protective devices and software you have in place, and the policies and procedures the users of your network follow.
- Section 500.3, Cybersecurity Policy - you must have written policies and procedures for protecting your computer systems and the NPI stored on them.
- Section 500.7, Access Privileges and Management - to the extent it's feasible for your agency, your cybersecurity policy must set limits on the parts of your system and NPI different users can access. It also must set limits on system administrator accounts and set procedures for regular management of all users' access.
- Section 500.9, Risk Assessment - at least annually, you must perform an assessment of your cybersecurity risks, identify system vulnerabilities, and develop a plan to address them.
- Section 500.11, Third-Party Service Provider Security Policy - your cybersecurity policy must include policies and procedures for ensuring the security of your systems and NPI that are accessible to, or held by, third-party service providers.
- Section 500.12, Multi-Factor Authentication - by November 1, 2024, your agency will have to implement authentication through verification of at least two types of factors such as passwords, tokens, and face scans.
- Section 500.13, Asset Management and Data Retention Requirements - your agency's cybersecurity policy must include policies and procedures for periodically and securely disposing of NPI you no longer need. By November 1, 2025, you will also have to maintain a written inventory of all your computer systems' devices, including who has them and where.
- Section 500.14, Monitoring and Training - by November 1, 2024, you must provide regular cybersecurity awareness training to the users of your computer systems.
- Section 500.17, Notices to Superintendent - you must notify DFS within 72 hours of determining that certain types of cybersecurity incidents have occurred. Also, between January 1 and April 15 each year, you must submit to DFS either a certification that your agency was in material compliance with the regulation the prior calendar year or an acknowledgement that you were not in material compliance with one or more sections. If it's that second one, you must report what you are doing about it.
For more information, visit: More resources will be available soon. Watch our bi-weekly newsletters and this website for announcements.
|
| What Happened:
For more than a year, the New York State Department of Financial Services (NYSDFS) has been working on amendments to the state’s cybersecurity regulation. On Wednesday, those changes were made final. Throughout the amendment process, Big I NY advocated strongly for many changes that will benefit independent insurance agencies and their customers, including an expanded limited exemption and total exemption for inactive licensees. We also urged the department to eliminate the requirement that agents and carriers "cross police" each other as third party service providers, and eliminate the annual certifiaction of compliance requirement, however these suggestions were not adopted.
What it Means For You:
Expanded Limited Exemption: A welcome change is the expanded criteria for who qualifies for a “limited exemption.” The limited exemption exempts small and mid sized entities from the most burdensome (but not all) requirements. An estimated 93% of Big I NY members will now qualify under the new criteria:
- Fewer than 20 employees (previously 10) or;
- Less than $7.5 million in gross annual revenue over the last 3 fiscal years (previously $5 million); or
- Less than $15 million in year end assets (previously $10 million)
Exemption for Inactive Licensees: Licensees who have no carrier appointments will now be completely exepmt from the regulation.
Changes to Certification of Compliance: The compliance filing that you must submit every year by April 15 will now require you to identify requirements under the regulation where your agency was not in material compliance the year before. You will also have to explain whether you have achieved compliance and, if not, what you plan to do about it.
The filing will also require two signatures - one from the agency's senior officer, the other from the officer or manager in charge of cybersecurity. Big I NY repeatedly opposed these changes. We plan to ask NYSDFS for clarification on how agencies should handle that requirement when both roles are filled by the same person.
Multi Factor Authentication and Cyber Training: Beginning November 1st, 2025, all licenced entities (limited-exempt or not) must use multi-factor authentication for access to their information systems. Beginning April 29th, 2024, all entities must provide their employees with cyberseucrity awareness and social engineering training.
Big I NY Has Your Back:
We plan to provide videos and other media to further explain the changes. Also, watch for your chance to register for a special Gear Up presentation on the amendments later this month.
Don't forget that you can access our cybersecurity-related information at anytime by visiting www.biginy.org/cyber and by checking the Cyber category in our Newsfeed.
Some of you may need individual help with the changes, and we're prepared to aid you with that as well. We are expanding our technical consulting service to include cybersecurity regulation compliance assistance. For an affordable hourly fee, you can get the individual attention you need to meet your obligations under the regulation.
Any change in laws or regulations that effect your business will be confusing and stressful, but we are hear to make it as easy for you as possible. Check back here often as we add new content to help you with compliance.
|
| The NYS Department of Financial Services this morning
formally adopted changes to the cybersecurity regulation. This is something we have been anticipating for nearly 18 months. At the same time, it appears they may have emailed every licensed person for whom they have an email address to announce the adoption. You may have received this email. Here is what you need to know today:
- We are in the process of reviewing the final version of the amendments. This is the third version of the amendments DFS has published, and it is not identical to what they proposed earlier.
- Both previous versions stated that the earliest date compliance will be required is 30 days from today (December 1,) and that deadline only applies to reporting certain types of security breach incidents. Compliance with most of the changes will not be required until May 1, 2024, and some will have later compliance dates. No one has to do anything immediately.
- Once we've analyzed the final version, we will provide the information to members in a variety of media, including blog posts, possibly videos, webinars, meetings with local association boards, and any other methods we can think of that might work.
- We have also met with representatives from DFS about coordinating training on the amended requirements. That training will likely occur in early January.
- Visit the Compliance Resources section at
www.biginy.org/cyber and the
Cyber category in the Newsfeed section of our website which can be found by dragging your cursor over the News link in the upper right corner. We have content about the previous two versions in those locations.
- Above all, please know that we're on top of this and there is absolutely no need for you to do anything right now.
We will post additional information here as soon as we have it ready.
|
Follow javascript: SP.SOD.executeFunc('followingcommon.js', 'FollowDoc', function() { FollowDoc('{ListId}', {ItemId}); }); 0x0 0x0 ContentType 0x01 1100 Item Audit Detail /_layouts/15/images/GORTL.GIF /newsfeed/_layouts/15/AuditingLog/ItemAudit.aspx?ItemId={ItemId}&ListId={ListId} 0x0 0x40000000 ContentType 0x01 300 Compliance Details javascript:if (typeof CalloutManager !== 'undefined' && Boolean(CalloutManager) && Boolean(CalloutManager.closeAll)) CalloutManager.closeAll(); commonShowModalDialog('{SiteUrl}'+
'/_layouts/15/itemexpiration.aspx'
+'?ID={ItemId}&List={ListId}', 'center:1;dialogHeight:500px;dialogWidth:500px;resizable:yes;status:no;location:no;menubar:no;help:no', function GotoPageAfterClose(pageid){if(pageid == 'hold') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/hold.aspx'
+'?ID={ItemId}&List={ListId}'); return false;} if(pageid == 'audit') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/Reporting.aspx'
+'?Category=Auditing&backtype=item&ID={ItemId}&List={ListId}'); return false;} if(pageid == 'config') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/expirationconfig.aspx'
+'?ID={ItemId}&List={ListId}'); return false;}}, null); 0x0 0x1 ContentType 0x01 898
|
|
|