  
|
Posted By Robert Treuber,
Thursday, September 22, 2022
|
Issued 9-22-2022 from SCCO Alert Unfortunately, the countywide shutdown of all computer services is still in effect. Our County Clerk IT, County IT and cyber security experts have been working around the clock to try and get us back up and running as soon as possible. This is an enormous task and the county is putting all of it’s resources towards it.
While we do not have much new news to offer, County Clerk staff will be available in the cafeteria in the Riverhead County Center on Friday at 10:00 a.m. to answer any questions that we can. As many of those who have visited the building over the last couple of days can attest to, there are still many questions that we can not answer both in the short term and long term.
We understand the impact the shutdown has had on the title and real estate industry as well as your businesses and livelihoods. We greatly appreciate your continued patience as we try to move through this collectively.
Tags:
cybersecurity
Suffolk
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Friday, September 16, 2022
|
Media coverage of the Suffolk County computer outage has focused on public safety issues. We have not seen official reports related to land recordation. The following links were posted September 13th and 14th. https://www.wshu.org/long-island-news/2022-09-13/suffolk-county-moves-its-online-services-to-temporary-website-following-cyberattack https://www.nbcnewyork.com/news/local/crime-and-courts/cyberattack-on-long-island-disrupts-government-agencies/3864176/ https://riverheadlocal.com/2022/09/13/county-it-systems-crippled-with-websites-email-down-five-days-after-discovery-of-cyberattack/ NYSLTA will issue email alerts only if the information is from an official source and is verifiable. The NYSLTA Land Records Committee is in contact with the Office of the County Clerk and other officials, by phone and in-person.
Tags:
County Clerk
cybersecurity
Suffolk
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, September 14, 2022
|
| | | While we’re confident the data and records in our office have not been impacted, the county’s network, which many of our programs utilize, is still inaccessible. |
| | Once we are assured the network is safe and available for use by our programs we will make computers available to title examiners in the County Center. It is anticipated that remote access will not be available when the network eventually becomes accessible again. |
| | Once we have an update on the network status and possible timeframe for computer use we will reach out to you again. |
| | Please notify colleagues within your organization or company as well. |
| | Access to this e-mail is limited so replies will not be responded to immediately. We apologize for the inconvenience and will be back in touch once we have more information with regard to access. |
Tags:
cybersecurity
Suffolk
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, March 14, 2022
Updated: Monday, March 14, 2022
|
Annual Certifications of Compliance
The Certification of Compliance is a critical governance pillar of the cybersecurity programs of all Covered Entities. Prior to April 15th of each year, all Covered Entities must file a Certification of Compliance confirming their compliance with the
Cybersecurity Regulation for the previous calendar year.
An entity or individual should only submit a Certification if they were in compliance with all portions of the regulations that applied to that Covered Entity during the time period the Certification covers. Even if a Covered Entity qualifies for an exemption
pursuant to 500.19(a), (c), or (d), it has to submit a Certification of Compliance to demonstrate that it was in compliance with the sections of the regulation that apply pursuant to the particular exemption. (The exemption set forth in 500.19(b)
is the only exemption that does not require a Covered Entity to file a Certification of Compliance.)
Certifications of Compliance for the calendar year 2021 are due by April 15, 2022. Covered Entities that hold more than one license must file a separate Certification of Compliance for each license it holds.
Instructions on how to file a Certification of Compliance can be found by clicking https://www.dfs.ny.gov/system/files/documents/2019/12/cyber_cert_compliance_filing.pdf
Covered Entities Do Not Need to File New Notices of Exemption
Any DFS regulated entity or licensed person who filed a Notice of Exemption previously
does not need to refile a Notice of Exemption. However, if your exempt status has changed, then the entity or individual should amend or terminate their filing through the DFS portal.
How to File
The DFS Cybersecurity Portal has been redesigned to assist you with your filings. To ensure that filings are matched to the appropriate Covered
Entity or licensed person, we encourage the use of an identifying number when filing. Identifying numbers are New York State License number, NAIC/NY Entity number, NMLS number or Institution number. Please make sure that you have your license number
available when you make your filing. A look-up feature is included in the Portal for anyone who does not know which number to use.
To get started please visit the DFS Cybersecurity Portal: https://myportal.dfs.ny.gov/web/cybersecurity/
Tags:
compliance
cyber
cybersecurity
DFS
Licensing
Regulations
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, April 14, 2020
Updated: Tuesday, April 14, 2020
|
Released on April 13, 2020
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200413_covid19_cybersecurity_awareness
Re: Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic
To: All New York State Regulated Entities
As we face an unprecedented threat from the novel coronavirus known as “COVID-19,” every organization’s highest priority must be health and safety. The extraordinary steps necessary to combat the COVID-19 pandemic have also created new challenges as regulated entities work to continue operating and providing critical services. Among these new risks is a significant increase in cybercrime, as criminals seek to exploit the situation.[1]
The Department of Financial Services (“DFS”) has identified several areas of heightened cybersecurity risk as a result of this crisis. As called for by DFS’s cybersecurity regulation, 23 NYCRR Part 500, regulated entities should assess the risks described below and address them appropriately.[2]
We also remind all regulated entities that, under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest. Prompt reporting will enable DFS to respond quickly to new threats as DFS works to protect consumers and the financial services industry in these difficult times.
Heightened Risks
- Remote Working
The abrupt shift to mass remote working forced by COVID-19 has created new security challenges, and attackers are exploiting these new vulnerabilities.[3] These heightened risks to regulated entities’ networks and Nonpublic Information[4] include:
- Secure Connections. Companies should make remote access as secure as possible under the circumstances. This includes the use of Multi-Factor Authentication and secure VPN connections that will encrypt all data in transit. See 23 NYCRR §§ 500.12 & 500.15.
- Company-Issued Devices. As new devices such as computers and phones are acquired or repurposed for remote working, regulated entities should ensure that they are properly secured. This includes locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software, such as Endpoint Detection & Response and Mobile Device Management.
- Bring Your Own Device (BYOD) Expansion. Regulated entities that have expanded their BYOD policies to enable mass remote working should be aware of the security risks and consider mitigating steps. Some personal devices are not properly secured or are already compromised. If an expanded BYOD policy is necessary, compensating controls should therefore be considered.
- Remote Working Communications. Remote working has increased reliance on video and audio-conferencing applications, but these tools are increasingly targeted by cybercriminals. Regulated entities should configure these tools to limit unauthorized access, and make sure that employees are given guidance on how to use them securely.
- Data Loss Prevention. Employees may be using unauthorized personal accounts and applications, such as email accounts, to remain productive while remote working. Regulated entities should remind employees not to send Nonpublic Information to personal email accounts and devices. Anticipating and solving productivity problems will reduce the temptation to use such devices.
- Increased Phishing and Fraud
There has been a significant increase in online fraud and phishing attempts related to COVID-19. For example, the FBI has reported that criminals are using fake emails that pretend to be from the Centers for Disease Control and Prevention (“CDC”), ask for charitable contributions, or offer COVID-19 relief such as government checks.[5]
-
Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity. Now that face-to-face work is curtailed, authentication protocols may need to be updated – especially for key actions, like security exceptions and wire transfers.
- Third-Party Risk
The challenges created by the COVID-19 pandemic have also affected third-party vendors, and regulated entities should re-evaluate the risks to critical vendors. See 23 NYCRR § 500.11. Regulated entities should coordinate with critical vendors to determine how they are adequately addressing the new risks.
Conclusion
The COVID-19 pandemic has disrupted normal operations in the financial services industry and beyond, and cyber criminals are exploiting the crisis. Despite the extraordinary challenges, regulated entities should remain vigilant. By following good cybersecurity practices, entities can identify, mitigate, and manage the risks.
[1] See DHS Cybersecurity and Infrastructure Security Agency (“CISA”), COVID-19 Exploited by Malicious Cyber Actors (April 8, 2020).
[2] Heightened cyber risk should also be addressed in the COVID-19 operational preparedness plans called for by DFS guidance issued on March 10, 2020. See Guidance to New York State Regulated Institutions and Request for Assurance of Operational Preparedness Relating to the Outbreak of the Novel Coronavirus.
[3] See FBI, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (April 1, 2020); U.S. Secret Service, Secret Service Issues COVID-19 (Coronavirus) Phishing Alert (March 9, 2020).
[4] 23 NYCRR § 500.01(g).
[5] See FBI, FBI Sees Rise In Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic (March 20, 2020).
Tags:
Coronavirus
COVID-19
cybersecurity
DFS
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, January 28, 2020
|
The following statement and the attached document were approved by the Executive Committee at the January 2020 meeting.
The New York State Land Title Association (NYSLTA) is a trade association representing the interests of persons and companies actively engaged in the title insurance industry in New York State.
The NYSLTA is devoted to advancing the interests of all those involved in abstracting, examining or insuring title to real property. Our work benefits all title professionals in New York, including title insurance companies, abstract companies, title insurance agents, law firms, individual attorneys, surveyors and others actively engaged in real estate matters.
The Association and its members frequently have questions regarding the laws and regulations governing the title insurance business in New York. In an effort to protect consumers, educate our members and to ensure compliance, NYSLTA has compiled the attached Frequently Asked Questions and Answers, including links to the appropriate New York State laws or regulations.
Attached Files:
Tags:
compliance
Consumer protection
cybersecurity
data security
Executive Committee
Reg 206
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, March 28, 2018
Updated: Wednesday, March 28, 2018
|
|
Permalink
| Comments (2)
|
|
|
Posted By Robert Treuber,
Monday, March 5, 2018
Updated: Monday, March 5, 2018
|
The DFS has updated the instructions regarding the cybersecurity notices.
The instructions for replying to a notice have been revised.
Key Questions About the Recent Cyber Regulation Notice
Why did I receive this notice?
All regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018. Our records indicate that to date you have not made such filings under the regulation. Please be aware that if you hold more than one license, then you need to file a separate Certification of Compliance for each license you hold.
What if I am late with my filing?
All Covered Entities that have failed to submit the Certification and that are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible. The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously. The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.
What if I filed for an exemption from the cybersecurity regulations?
People who received the reminder are required to file the Certificate of Compliance even if you filed for an exemption under 23 NYCRR Part 500.19. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for exempted entities. Covered Entities are required to file a Certificate of Compliance to confirm that they are in compliance with those provisions of the regulation that apply to the Covered Entity.
I have a receipt showing I filed already?
Please look at the receipt. If the receipt number you received begins with an “E” then it is a receipt for filing a Notice of Exemption and not a receipt for filing the required Certificate of Compliance. Your exemption does not excuse the filing noticed below. The Certification of Compliance is to cover the period as of December 31, 2017 for all requirements of the cybersecurity regulation in force by that date. If the receipt number starts with a “C” email cyberregcomments@dfs.ny.gov with your name, license number and the receipt number from your cybersecurity Certificate of Compliance filing.
When will I receive a reply to my email?
DFS will reply to emails received in the above email box within 30 days.
Does this apply to me?
Section 500.01 (c) defines a Covered Entity for purposes of the Regulation as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” You will need to determine the applicability of the regulation to your particular circumstances.
How do a file a Certification of Compliance?
Certifications of Compliance should be filed electronically via the DFS Web Portal https://myportal.dfs.ny.gov/web/cybersecurity/. Please click the big orange box on the right hand corner that says “Cybersecurity Filing”. The Covered Entity will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.
Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)
- March 1, 2017 - 23 NYCRR Part 500 becomes effective.
- August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
Tags:
cybersecurity
DFS
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, August 9, 2017
|
The cybersecurity regulation has the first of many interim deadlines arriving on Aug. 28, 2017.
We have posted a file called the "Cybersecurity Limited Exemption Timeline" (access restricted to signed-in members only).
If you need help with the regulation, please contact the consultants listed on our cybersecurity compliance page. These firms have agreed to provide discounted services to NYSLTA Members.
Hey, why not subscribe to this newsblog and get an email notification whenever a new item is posted?
Here's how Guide - How to Subscribe to News and Reports.
.
Tags:
Consumer protection
cyber
cybersecurity
data security
DFS
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, April 18, 2017
Updated: Tuesday, April 18, 2017
|
The DFS Secure Portal is now accepting the filing of Notice of Limited Exemption, as cited in § 500.19 of 23 NYCRR 500.
Here is a link to the Portal - https://myportal.dfs.ny.gov/web/cybersecurity/
COMPLIANCE TIMELINE
FOR COVERED ENTITIES WHO MEET THE LIMITED EXEMPTION REQUIREMENTS (§ 500.22)
March 1, 2017 - Effective Date of Regulations
August 28, 2017 - Transitional Period ends – compliance requirement begins for most provisions of the regulation (§500.22)
February 15, 2018 - Notice of exception must be filed with the DFS (and each year thereafter on 2/15) (§500.17)
March 1, 2018 – Risk Assessment to be completed (§ 500.09)
August 30, 2018 – Policy must be in place for periodic disposal of NPI (§ 500.13)
March 1, 2019 - Develop a Third Party Service Provider Security Policy (§500.11)
Tags:
cybersecurity
DFS
Permalink
| Comments (0)
|
|
Print Page
Blog Home
All Blogs
RSS