  
|
Posted By Robert Treuber,
Thursday, October 23, 2025
|
To: The executives and information
security personnel at all entities regulated by the New York State
Department of Financial Services (“DFS” or the “Department”) Re: Guidance on Managing Risks Related to Third-Party Service Providers Date: October 21, 2025 Covered Entities[1] have become more reliant on Third-Party Service Providers[2] (“TPSP” or “TPSPs”) for services that involve access to Information Systems[3] or Nonpublic Information[4]
(“NPI”). Although there are many potential benefits to engaging TPSPs,
Covered Entities must understand and address the risks posed by such
reliance. For example, reliance on TPSPs introduces the risk of
Cybersecurity Incidents[5]
at the TPSP, which can have a significant impact on Covered Entities’
operations and NPI. Appropriately managing these risks remains a
crucial element of a Covered Entity’s cybersecurity program. Covered
Entities’ exposure to threats will continue to grow as their reliance
on technologies managed by TPSPs—such as cloud computing, file transfer
systems, artificial intelligence (“AI”), and fintech
solutions—increases. The growing scale and complexity of cyber risks
posed by TPSPs demands a proactive, risk-based, and continuously
adaptive approach to third-party governance. Senior Governing Bodies[6] and Senior Officers[7] must engage actively in cybersecurity risk management, including the oversight of TPSP-related risks.[8]
Unless a Covered Entity qualifies for an applicable exemption, Senior
Governing Bodies must have a sufficient understanding of
cybersecurity-related matters to exercise appropriate oversight, which
includes the ability to provide a credible challenge to management’s
cybersecurity-related decisions to ensure that those decisions align
with the entity’s overall risk posture and resiliency objectives.[9]
The Cybersecurity Regulation (“Part 500”) also requires a Senior
Officer or the Senior Governing Body to review and approve the Covered
Entity’s cybersecurity policies and procedures at least annually.[10] The
Department reviews Covered Entities’ information security policies and
procedures, including those addressing TPSP risk, during examinations
and investigations. In these reviews, DFS has identified areas where
Covered Entities should strengthen their TPSP programs, including how
they monitor, assess, and manage TPSP cybersecurity risk. Specifically,
DFS has identified the need for more robust due diligence, contractual
provisions, monitoring and oversight, and TPSP risk management policies
and procedures. Moreover, DFS has observed a trend in which some
Covered Entities outsource critical cybersecurity compliance obligations
to TPSPs without ensuring appropriate oversight and verification by
Senior Governing Bodies or Senior Officers. As noted in previous
guidance, Covered Entities may not delegate responsibility for
compliance with the Cybersecurity Regulation to an affiliate or a TPSP.[11]
DFS has and will continue to consider the absence of appropriate TPSP
risk management practices by Covered Entities in its examinations,
investigations, and enforcement actions.[12] The
Department is issuing this guidance on managing risks related to
Third-Party Service Providers (“Guidance”) to assist Covered Entities of
all sizes[13]
in addressing risks associated with the use of TPSPs. The Guidance
does not impose new requirements or obligations on Covered Entities;
rather, it is intended to clarify regulatory requirements, recommend
industry best practices to mitigate common risks associated with TPSPs,
and promote compliance with relevant sections of Part 500, including
Section 500.11.[14]
In addition to clarifying regulatory requirements, the Guidance
describes steps Covered Entities should consider taking to assess and
address cybersecurity risks throughout the lifecycle of a TPSP
relationship, beginning with the due diligence and selection processes,
continuing through contracting, ongoing oversight and management of the
relationship, and ending with the termination of the TPSP relationship. Identification, Due Diligence, and SelectionWhen
selecting a TPSP, Covered Entities must assess the cybersecurity risks
the TPSP poses to the Covered Entity’s Information Systems and NPI.
Policies and procedures should outline how these risks are evaluated,
including minimum cybersecurity standards required for engagement, and
procedures for assessing the TPSP’s cybersecurity practices and controls
based on the unique risks presented by the TPSP.[15] Covered
Entities should classify TPSPs based on the latter’s risk profile,
considering factors such as system access, data sensitivity, location,
and how critical the service provided to the Covered Entity is to its
operations. For example, a TPSP with privileged access[16]
to a Covered Entity’s Information Systems and significant amounts of
NPI presents a greater risk than a TPSP that provides services operating
outside of the Covered Entity’s Information Systems. Providers of
critical services that often have a high degree of system-level access
and the ability to access sensitive NPI include companies that provide
IT managed services, outsourced help desk services, and insurance claims
management services. Additionally, Covered Entities should
develop a tailored, risk-based plan to mitigate risks posed by each
TPSP. The following is a non-exhaustive list of considerations that
Covered Entities should assess when performing due diligence on TPSPs: - The type and extent of access to Information Systems and NPI.
- The TPSP’s reputation within the industry, including its cybersecurity history and financial stability.
- Whether
the TPSP has developed and implemented a strong cybersecurity program
that addresses, at a minimum, the cybersecurity practices and controls
required by the Covered Entity and Part 500.
- The access controls
implemented by the TPSP for its own systems and data, as well as to
access the Covered Entity’s Information Systems, and the proposed
handling and storage of Covered Entity data, including whether
appropriate controls, such as data segmentation and encryption, are
applied based on the sensitivity of the data.[17]
- The criticality of the service(s) provided and the availability of alternative TPSPs.
- Whether
the TPSP uses unique, traceable accounts for personnel accessing the
Covered Entity’s systems and data and whether it maintains audit trails
meeting the requirements of Section 500.6.
- Whether the TPSP, its
affiliates, or vendors are located in, or operate from, a country or
territory jurisdictions that is considered high-risk based on
geopolitical, legal, socio-economic, operational, or other regulatory
risks.
- Whether the TPSP maintains and regularly tests its incident response and business continuity plans.[18]
- The TPSP’s practices for selecting, monitoring, and contracting with downstream service providers (“fourth parties”).
- Whether the TPSP undergoes external audits or independent assessments (e.g.,
ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in
writing, compliance with Part 500 or industry frameworks such as the
National Institute of Standards and Technology’s (“NIST”) Cybersecurity
Framework.[19]
Covered
Entities should also consider how best to obtain, review, and validate
information provided by prospective TPSPs. For example, a standardized
questionnaire may assist in gathering responses, but qualified personnel
will need to interpret the responses to make risk-informed decisions,
ask follow-up questions as necessary, and determine appropriate
mitigation strategies. In some instances, Covered Entities may
face constraints when selecting, contracting with, or transitioning away
from a TPSP due to limited vendor options, industry concentration, or
legacy system dependencies. In such cases, organizations should make
risk-informed decisions, document the relevant risks, take steps to
implement compensating controls (e.g., monitoring,
segmentation, contract triggers), and conduct regular assessments of the
TPSP to evaluate whether viable alternative TPSPs have emerged over
time. ContractingThe Cybersecurity Regulation requires
Covered Entities that utilize TPSPs to develop and implement written
policies and procedures that address due diligence and contractual
protections.[20]
These policies must be risked-based and tailored to the services and
sensitivity of the data and Information Systems that will be accessed by
the TPSP. Below are a few examples of baseline contract provisions
Covered Entities should consider incorporating into their agreements[21] with TPSPs: - Access
Controls – Requirements for TPSPs to develop and implement policies and
procedures addressing access controls, including multi-factor
authentication, that comply with requirements in Sections 500.7 and
500.12.[22]
- Data
Encryption – Obligations to develop and implement policies and
procedures addressing encryption in transit and at rest as required by
Section 500.15.[23]
Although Covered Entities qualifying for exemptions under Section
500.19 are not required to comply with this obligation, given the
sensitivity of NPI, such Covered Entities should consider requiring
TPSPs encrypt sensitive data, including NPI, in transit and at rest.
- Cybersecurity
Event Notification – Provisions related to the immediate or timely
notice to the Covered Entity upon the occurrence of a Cybersecurity
Event directly impacting the Covered Entity’s Information Systems or NPI
being held by the TPSP.[24]
- Compliance
Representations – Obligations for the TPSP to provide representations
and warranties regarding compliance with applicable laws and
regulations, including applicable requirements of Part 500.[25]
- Data
Location and Transfer Restrictions – Requirements for the TPSP to
disclose where data may be stored, processed, or accessed; obtain prior
written approval for cross-border transfers (or full prohibitions of
this practice); and comply with applicable data residency or
localization laws. Although this contractual provision is not
explicitly required by the Cybersecurity Regulation, the Department
recommends incorporating this provision in contracts because Covered
Entities can more effectively analyze the risk to sensitive data,
including NPI, when they understand where data is stored and processed.
- Subcontractors
– Requirements for the TPSP to disclose the use of subcontractors that
may have access to or use the Covered Entity’s Information Systems or
NPI, as well as the ability of the Covered Entity to reject the use of
certain subcontractors for work on its Information Systems or NPI after
conducting appropriate due diligence. Although this practice is not
required by the Cybersecurity Regulation, the Department recommends
adoption of this practice so Covered Entities are better able to analyze
the risk to sensitive data, including NPI.
- Data Use and Exit Obligations – Restrictions related to the use and sharing of data, obligations to delete[26]
or migrate data held by the TPSP upon termination of the relationship,
and obligations to obtain appropriate certifications confirming the
completion of these steps.
Where relevant, Covered Entities
should consider including a clause related to the acceptable use of
Artificial Intelligence (“AI”), and whether the Covered Entity’s data
may be used to train AI models or be otherwise disclosed to additional
parties. In addition, the TPSP agreement should include remedies in the
event the Covered Entity reasonably determines that the TPSP has
breached any material terms of the agreement related to cybersecurity.
These remedies may include requiring timely remediation or permitting
early termination of the service agreement. This is not an
exhaustive list of contractual provisions that Covered Entities should
consider, nor is this list of terms viable or appropriate in all
situations.[27]
Covered Entities should carefully evaluate terms based on the nature of
the engagement, market conditions, and the sensitivity of data, among
other factors. Ongoing Monitoring and OversightAs
described above, each Covered Entity’s TPSP policy or policies must
address, to the extent applicable, the periodic assessment of TPSPs
based upon the risk each presents.[28]
The TPSP risk management procedures should include layered,
risk-informed oversight processes and controls designed to confirm that
TPSP cybersecurity programs are aligned with the Covered Entity’s
cybersecurity expectations.[29]
Accordingly, Covered Entities should develop and implement policies and
procedures for the ongoing monitoring and oversight of TPSPs. The
policies should be informed by a variety of factors, including the
evolving threat and regulatory landscape, changes to products and
services, and whether the TPSP has experienced a Cybersecurity Event.
While many of the initial due diligence considerations remain relevant
throughout the relationship, once active, Covered Entities must conduct
periodic assessments based on the risk(s) a TPSP presents and the
continued adequacy of their cybersecurity practices.[30] These assessments may consider, among other things, security attestations (e.g.,
SOC2, ISO 27001), penetration testing summaries, policy updates,
evidence of security awareness training, and compliance audits. Moreover,
where relevant, Covered Entities should request updates on
vulnerability management, assess patching practices, and confirm
remediation of previously identified deficiencies. Material or
unresolved risk should be documented in the Covered Entity’s risk
assessment and escalated through appropriate internal risk governance
channels. As part of a broader resiliency strategy, Covered Entities
should incorporate third-party risk into their incident response and
business continuity planning.[31]
For example, Covered Entities should assess how they would rapidly
transition to alternate systems or providers in the event of a
disruption and consider testing relevant portions of their business
continuity and incident response plans with their TPSPs. TerminationWhen
preparing for the end of a TPSP relationship, Covered Entities must
disable the TPSP’s access to the Covered Entity’s Information Systems.[32]
This includes revoking system access for TPSP personnel and
subcontractors and deactivating service accounts. For TPSPs providing
cloud-based services, organizations should revoke identity federation
tools (e.g., SSO, OAuth tokens), API integrations, and external
storage access. Covered Entities generally should require
certification of destruction of NPI, secure return of data to the
Covered Entity, or migration of data to another TPSP or internal
environment. As part of this process, Covered Entities should confirm
that any remaining snapshots, backups, or cached datasets are deleted
from TPSP systems and TPSP access to any shared resources is revoked. Additionally,
Covered Entities should give special attention to residual or
unmonitored access points that may fall outside routine access
provisioning systems. Access points that become redundant or
unnecessary during the course of the TPSP relationship should be
addressed or eliminated on an ongoing basis, rather than being left in
place until the end of the relationship. Procedures should align with
the Covered Entity’s cybersecurity program and comply with Section
500.7. To ensure a secure and orderly termination, Covered
Entities should develop a transition plan for critical services with
clearly defined timelines, roles and responsibilities. Management
should engage key stakeholders, including IT, legal, compliance,
procurement, and business units, to identify strategies to mitigate
potential risks. Prior to termination, Covered Entities should review
the agreement with the TPSP to identify offboarding obligations and
protections. In addition, Covered Entities should verify and retain any
data subject to legal, regulatory, or litigation hold requirements
before initiating data return or destruction processes. After
termination is completed, a final risk review should be conducted to
confirm that all obligations have been fulfilled, and that access and
data controls have been properly enforced. The offboarding process
should be documented and relevant audit logs retained to support
accountability and future verification. Finally, any lessons learned
should be incorporated into future third-party risk assessments and
contracting practices to refine and improve TPSP lifecycle management. ConclusionCovered
Entities must evaluate and mitigate cybersecurity risks relevant to
their own business. To that end, this Guidance highlights risks
associated with TPSPs as well as strategies to manage these risks as
part of an effective cybersecurity program. As third-party service
offerings expand and evolve, so too will TPSP-related cybersecurity
risks. Managing these risks appropriately requires performing, at
regular intervals, careful analysis of the sufficiency of
administrative, technical, and physical controls to manage third-party
risk, as required by Part 500.
[1]
A Covered Entity is defined in § 500.1(e) as “any person operating
under or required to operate under a license, registration, charter,
certificate, permit, accreditation or similar authorization under the
Banking Law, the Insurance Law or the Financial Services Law, regardless
of whether the covered entity is also regulated by other government
agencies.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(e) (2025).
References to Sections hereinafter refer to those in the Cybersecurity
Regulation. Capitalized terms used hereinafter are defined in the
Cybersecurity Regulation. [2]
Third-Party Service Provider is defined in § 500.1(s) as “a person
that: (1) is not an affiliate of the covered entity; (2) is not a
governmental entity; (3) provides services to the covered entity; and
(4) maintains, processes or otherwise is permitted access to nonpublic
information through its provision of services to the covered entity.” [3]
An Information System is defined in § 500.1(i) as “a discrete set of
electronic information resources organized for the collection,
processing, maintenance, use, sharing, dissemination or disposition of
electronic information, as well as any specialized system such as
industrial/process controls systems, telephone switching and private
branch exchange systems, and environmental control systems.” [4]
Nonpublic Information is defined in § 500.1(k) as ”all electronic
information that is not publicly available information and is: (1)
business related information of a covered entity the tampering with
which, or unauthorized disclosure, access or use of which, would cause a
material adverse impact to the business, operations or security of the
covered entity; (2) any information concerning an individual which
because of name, number, personal mark, or other identifier can be used
to identify such individual, in combination with any one or more of the
following data elements: (i) social security number; (ii) drivers’
license number or non-driver identification card number; (iii) account
number, credit or debit card number; (iv) any security code, access code
or password that would permit access to an individual’s financial
account; or (v) biometric records; (3) any information or data, except
age or gender, in any form or medium created by or derived from a health
care provider or an individual and that relates to: (i) the past,
present or future physical, mental or behavioral health or condition of
any individual or a member of the individual's family; (ii) the
provision of health care to any individual; or (iii) payment for the
provision of health care to any individual.” [5]
A Cybersecurity Incident is defined in § 500.1(g) as “a cybersecurity
event that has occurred at the covered entity, its affiliates, or a
third-party service provider that: (1) impacts the covered entity and
requires the covered entity to notify any government body,
self-regulatory agency or any other supervisory body; (2) has a
reasonable likelihood of materially harming any material part of the
normal operation(s) of the covered entity; or (3) results in the
deployment of ransomware within a material part of the covered entity’s
information systems.” A Cybersecurity Event is defined in § 500.1(f) as
“any act or attempt, successful or unsuccessful, to gain unauthorized
access to, disrupt or misuse an information system or information stored
on such information system.” [6]
A Senior Governing Body is defined in § 500.1(q) as “the board of
directors (or an appropriate committee thereof) or equivalent governing
body or, if neither of those exist, the senior officer or officers of a
covered entity responsible for the covered entity’s cybersecurity
program. For any cybersecurity program or part of a cybersecurity
program adopted from an affiliate under section 500.2(d) of this Part,
the senior governing body may be that of the affiliate.” [7]
A Senior Officer(s) is defined in § 500.1(r) as “the senior individual
or individuals (acting collectively or as a committee) responsible for
the management, operations, security, information systems, compliance
and/or risk of a covered entity, including a branch or agency of a
foreign banking organization subject to this Part.” [8]
Tit. 23, § 500.4(d). While Covered Entities that qualify for
exemptions under § 500.19 do not need to comply with the requirements of
§ 500.4, Covered Entities must still maintain a written cybersecurity
policy or policies that are approved at least annually by a Senior
Officer(s) or the Senior Governing Body who oversee its implementation.
Tit. 23, § 500.3. [9] See, e.g., Federal Financial Institutions Examination Council Information Technology Examination Handbook, Management Booklet, at I.A.1 Board of Directors Oversight, n.3,
https://ithandbook.ffiec.gov/it-booklets/management/i-governance/ia-it-governance/ia1-board-of-directors-oversight/
which states that “[a] credible challenge involves being actively
engaged, asking thoughtful questions, and exercising independent
judgment.” [11] See
N.Y. State Dep’t of Fin. Servs., Industry Letter on Adoption of an
Affiliate’s Cybersecurity Program (Oct. 22, 2021), available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211022_affiliates_cybersecurity_program;
see also, Bd. of Governors of the Fed. Rsrv. Sys., Fed. Deposit Ins.
Corp., Off. of the Comptroller of the Currency, Interagency Guidance on
Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920 (June 9,
2023); see also id. tit. 23, § 500.4(a)(1). [13] Note
that the Cybersecurity Regulation imposes different requirements on
organizations based on their size and resources. See id. § 500.1(d)
(describing the qualifying conditions for Class A Companies) and §
500.19(a) (describing the qualifying factors for Covered Entities that
are granted limited exemptions based upon the number of Covered Entity
personnel, revenue, and assets). [14] For
larger Covered Entities, including Class A Companies, a risk-based
approach and solutions may require different steps based upon the unique
circumstances, technologies, and other factors relevant to the entity. [15] Tit. 23, § 500.11(a). [16]
Privileged access refers to the access an Information System user has
where the user “is authorized (and therefore, trusted) to perform
security-relevant functions that ordinary users are not authorized to
perform.” See, definition of a “privileged user,” National Institute of
Standards and Technology, SP 800-53r5, Appendix A: Glossary, Security
and Privacy Controls for Information Systems and Organizations (Sep.
2020, updated Dec. 10, 2020), available at https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final. [17] Tit. 23, §§ 500.11(b)(1)-(2). [18] Tit. 23, § 500.16(d). [20] Tit. 23, § 500.11(b). [21]
The type of agreement, provisions, and exhibits will vary depending on
the nature of the services provided and type and breadth of data the
TPSP will access. For example, when using cloud-based service providers
such as Software-as-a-Service and Infrastructure-as-a-Service, among
others, Covered Entities may want to append a service-level agreement,
which typically defines service quality expectations, system
availability of the product or service for use (commonly referred to as
“up-time”), and response and recovery times. Alternatively,
organizations providing professional services (e.g., developer,
consultant, auditor) generally append Statements of Work to address
project-specific obligations, such as deliverables, timelines, and
scope. Both documents serve as contractual supplements that clarify
roles and expectations under a broader agreement. DFS understands that
these types of service-level agreements are often drafted by the TPSP,
and that Covered Entities may not always have sufficient leverage to
negotiate many of the terms. [22] Tit. 23, § 500.11(b)(1). [23] Tit. 23, § 500.11(b)(2). [24]
Section500.11 requires a Covered Entity’s policies and procedures to
include relevant guidelines covering, among other things, contractual
provisions addressing a TPSP’s obligation to provide notice of
Cybersecurity Events. A Covered Entity’s policies and procedures must
include guidelines and/or contractual protections that address the
notice to be provided in the event of a Cybersecurity Event directly
impacting the Covered Entity’s Information Systems or the Covered
Entity’s NPI being held by the TPSP. See supra note 5 (observing that
Cybersecurity Events include more than Cybersecurity Incidents). [25] Tit. 23, § 500.11(b)(4). [26]
See, e.g., tit. 23, § 500.13(b) (requiring each Covered Entity to have
policies and procedures for the secure disposal on a periodic basis of
certain NPI no longer necessary for business operations or other
legitimate business purposes). [27]
In this circumstance, Covered Entities should still seek to secure
reasonable protections, such as breach notification clauses, data use,
and assurances regarding access controls and data handling.
Additionally, they should consider limiting the volume and sensitivity
of data shared, using tokenization to replace sensitive data elements
and applying pseudonymization techniques to obscure individual
identities, where appropriate. Independent third-party assessments or
certifications (e.g., SOC 2, ISO 27001) should also be reviewed and
required where feasible. In parallel, organizations should develop
medium- to long-term strategi es
to reduce dependency, such as enabling data portability, modularizing
services, or evaluating alternative providers. Moreover, high-risk TPSP
relationships should be appropriately escalated through risk governance
frameworks and reflected in the Covered Entity’s risk assessments and
board-level reporting. [28] See tit. 23, § 500.11(a)(4). [29]
See, e.g., FINRA, Regulatory Notice 21–29, FINRA Reminds Firms of Their
Supervisory Obligations Related to Outsourcing to Third-Party
Vendors (Aug. 13, 2021), available at https://www.finra.org/rules-guidance/notices/21-29
(Guidance noting that member firms should consider, among other things,
vendor self-assessments, including certified reporting, as well as
conducting onsite visits) and NIST SP 800-161r1-upd1, Cybersecurity
Supply Chain Risk Management Practices for Systems and Organizations
(May 5, 2022, rev. Nov. 1, 2024), available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf
(Publication recommending that organizations audit Information and
Communication Technology “supply chain-relevant events within their
information system boundaries” using mechanisms such as system logs,
intrusion detection system logs, firewall reports, and other evidence
trails. [30] Tit. 23, § 500.11(a)(4). [31] See, e.g., tit. 23, § 500.16. [32] Tit. 23, § 500.7(a)(4).
Tags:
cybersecurity
DFS
Industry Letter
Permalink
| Comments (0)
|
|
|
Posted By Technology Committee,
Monday, October 6, 2025
|
Dear Colleagues, On October 14, 2025, Microsoft will officially end all support for Windows 10. After this date, Windows 10 machines will no longer receive security updates or patches, leaving them dangerously exposed to hackers and other cyber threats. This change is not optional and it will impact many of us directly. While some computers can be upgraded to Windows 11, a large number of office machines will not meet the requirements. That means many devices will need to be replaced entirely to remain secure and compliant. Continuing to operate on unsupported systems is a serious risk, both to your own data and to your clients’ information. The title industry is a prime target for cyberattacks, and leaving Windows 10 machines in service after October 14 invites unnecessary vulnerability. Please take time now to: - Identify all computers in your office still running Windows 10.
- Confirm whether they can be upgraded to Windows 11.
- Make replacement plans immediately for any systems that cannot.
This is a significant change with a firm deadline. Acting today will help ensure your business operations remain secure and uninterrupted. Thank you for your attention to this urgent matter. Best regards, Andrew Zankel, NTP - Technology Committee Chair Dan Celikoyar – Technology Committee Vice-Chair
Tags:
cybersecurity
Technology Committee
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, December 16, 2024
|
Re-posted from SECURITY BUZZ by Genady Vishnevetsky, Chief Info Security Officer Stewart Title Guaranty Company
There's a new phishing campaign that's using a clever trick - corrupted Word documents. This technique allows malicious content to pass through to the user without detection by any email security tools.
The attacker intentionally (slightly) corrupts the attached
Word document so that antivirus and security scanners can't scan it.
Because the file has a .docx extension, when the unsuspicious victim
opens it, Microsoft Word detects the corruption and asks the user if
they want to repair it. If the user confirms, Word will repair and open
the file.
Inside the recovered file is a QR code that leads to a
credential harvesting page that steals both the user's credential and
the MFA.
The timing of this attack is impeccable. Security firm Any.Run,
which discovered it, found that the email appeared to come from Human
Resources and focused on end-of-the-year benefits and bonus payouts.
Takeaways:
- Hackers frequently time and theme their attacks to seasonal,
disaster or business events - always stay alert during business
seasonality (i.e., end-of-month, quarter, year activities, benefits,
payouts, income-tax events)
- Attackers continuously attempt to find ways to stay under the radar of security technologies - always proceed with caution
- Every attachment from an unknown source should be considered malicious until proven otherwise
- Any new behavior (recovery of corrupted attachment) should be a red flag
- QR codes have alarmingly become mainstream for cybercrooks due
to the inability to analyze the destination with the naked eye.
Scrutinize all QR codes and avoid using them in emails and attachments
if possible.
- Do not enter any credentials on the site you landed on from
the email or attachments unless it came from a trusted and verified
source
Tags:
cybercrime
cybersecurity
Permalink
| Comments (0)
|
|
|
Posted By Genady Vishnevetsky - Chief Info Security Officer Stewart Title Guaranty Company,
Thursday, December 12, 2024
|
The following was originally posted to the ALTA Open Forum Security Buzz. Cybercriminals are exploiting a system designed for emergencies to steal your personal information. The FBI has issued a warning about a concerning trend: the increasing use of fraudulent emergency data requests (EDRs) by cybercriminals. EDRs are legitimate tools that law
enforcement uses to obtain information from online service providers in
urgent situations where there isn't enough time to secure a warrant or
subpoena. These requests are usually approved as long as they originate
from a valid law enforcement email address. Unfortunately, cybercriminals are
exploiting this process by utilizing hacked police and government email
accounts to send fake EDRs. This makes it challenging for companies to
verify the authenticity of the requests, placing them in a difficult
situation. If a company refuses to comply
with what appears to be a legitimate request, it could have serious
consequences if there is a real emergency. Conversely, if they comply,
it may result in the exposure of sensitive customer information to
criminals. Examples of This Scheme in Action: - Cybercriminals are selling access
to hacked .gov email addresses, including US credentials, which they
claim can be used for EDRs
- One individual, known as
"Pwnstar," is selling fake EDR services, claiming to have access to
government emails from over 25 countries
- Another tactic involves the use of forged court-approved subpoenas sent through compromised email accounts
- Cybercriminals are even using Kodex, a platform designed to verify law enforcement requests, to make their fake requests appear more legitimate
Verizon's transparency report
indicates a high compliance rate with EDRs, with records being provided
in approximately 90% of cases. This highlights the effectiveness of this
tactic. Financial institutions and cryptocurrency platforms are
particularly concerned about fake EDRs being used to freeze or seize
funds. Takeaways: - Our data is at risk:
All this means our personal information is more vulnerable than ever.
It's a stark reminder that cybercriminals are constantly finding new
ways to exploit systems, even those designed for emergencies.
- Financial institutions are particularly vulnerable:
Banks and cryptocurrency platforms are prime targets for this kind of
scam because fake EDRs can be used to steal money directly from customer
accounts. It's a wake-up call for these institutions to step up their
security measures.
Both law enforcement agencies and
companies need to be more vigilant. Law enforcement needs better
cybersecurity to protect their systems, and companies need more robust
verification processes to weed out these fake requests. This isn't going
away anytime soon, so staying ahead of these criminals is an ongoing
challenge.
Tags:
cybercrime
cybersecurity
EDR
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, November 14, 2023
|
The
New York State Department of Financial Services (DFS) alerts all
regulated entities to take immediate action to investigate and, if
applicable, to mitigate the following cybersecurity
threat.
On
November 7, 2023, the U.S. Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency (CISA) released
guidance for addressing a critical vulnerability
designated as CVE-2023-4966 which impacts multiple versions of Citrix
NetScaler ADC and Gateway products. The vulnerability, also known as
Citrix Bleed, could allow a cyber actor to take control of an affected
system.
Threat
actors are actively exploiting this vulnerability. According to
Citrix’s website, there are reports of session hijacking and targeted
attacks. Citrix strongly urges all
affected users to immediately install recommended builds and to
terminate and clear all active and persistent sessions. Please refer to
the
Citrix Security Blog for details and the necessary commands.
An
additional vulnerability has been found in customer-managed instances
of Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway
(formerly Citrix Gateway) CVE-2023-4967.
Exploitation of these vulnerabilities can result in deployment of ransomware, data theft, and business disruption.
DFS
advises all regulated entities to assess promptly the risk to their
organization, customers, consumers, and third-party service providers
based upon the evolving information
and to take action to mitigate risk. As you assess risk, we recommend
reviewing the
CISA Alert and the
Citrix Security Bulletin and
Security Blog.
Regulated
entities are reminded to report Cybersecurity Incidents that meet the
criteria of 23 NYCRR Section 500.17(a) as promptly as possible and
within 72 hours at the latest
via the secure
DFS Portal. As of December 1,
2023, regulated entities who decide to make cyber extortion payments
must report such payments to DFS within 24 hours and within 30 days
provide a description of the rationale for, and diligence
undertaken in connection with, making such payment. For more
information, visit DFS’s Cybersecurity
Resource Center.
If others in your
organization should receive this cybersecurity information, please
forward this email. Additional interested parties may also
opt-in to receive "Cybersecurity Updates" from DFS.
Tags:
cybersecurity
DFS
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, November 8, 2023
|
Download the regulation HERE Check this Newsblog and the Calendar for announcements on cybersecurity training and compliance education, currently under development.
Tags:
compliance
cybersecurity
DFS
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, January 10, 2023
|
Customer Update – January 9, 2023
Dear Valued Customer:
Last night and today our team of
specialists have continued to carefully bring our systems out of
“protection mode.” I support our very conservative approach of copying
all data and images prior to completing their examination
and validation. While this approach requires space and time, it is the
safest way to operate.
As I have mentioned previously, we are working with cyber specialists
every step of the way and are taking no risks with your data. The team
is working in shifts, 24 x 7, to bring your offices back on-line as soon
as possible. Nothing is more important.
The work this week will consist of: integrating additional space,
copying what we have, working to restore full functionality while
analyzing and validating all slices of data.
Regardless of our conservative approach, we recognize the critical
situation we are all in and work with the utmost sense of urgency.
Thank you for your understanding. I will keep you updated throughout the week.
Deborah Ball, CEO Cott Systems, Inc. | 2800 Corporate Exchange Dr., Ste.300 | Columbus, OH 43231
o)
800-588-2688 M-F 7am-6pm Eastern | f)
866-540-1072
|
|
Tags:
Cott Systems
County Clerk
cybersecurity
Permalink
| Comments (0)
|
|
|
Posted By John Sauers - Frontier Abstracrt & Research,
Tuesday, January 3, 2023
|
Customer Update – January 2, 2023
Dear Valued Customer,
During
the past 24 hours, we have confirmed that all databases are complete
and in good order. We continue to run maintenance checks to verify all
back-up systems are working as intended. As of this moment, we have 93%
of the infrastructure fixed and running and we are working with Citrix
to check connectivity.
I
was hopeful that our applications would be back online for you Tuesday.
I am sorry but that will not yet be possible. We are still testing
basic functionality and will move to more detailed testing later this
evening to make sure the programs are working as intended.
I
am so encouraged that no data was lost or damaged. Our teams are
working as fast as possible to verify the applications are working
properly. While I still do not have an absolute timeline, I am hoping
Wednesday they will have made enough progress to put you back in
business.
Please accept my apologies and appreciation for your understanding.
Deborah Ball, CEO Cott Systems, Inc. | 2800 Corporate Exchange Dr., Ste.300 | Columbus, OH 43231
o)800-588-2688 M-F 7am-6pm Eastern | f)866-540-1072
Tags:
County Clerk
cybersecurity
Land Records
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, January 2, 2023
|
|
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, December 28, 2022
|
[Note - Cott systems provides land recordation services in 17 states, including several NY counties] To all valued Cott customers, As you know, on Monday, December 26, Cott Systems identified some unusual activity on our servers. In an abundance of caution, we disconnected all of our servers to isolate that activity within our environment. We then immediately engaged cyber specialists to investigate the event and they began a forensic analysis. It has been determined that Cott Systems is the victim of an organized cyber-attack. We have notified the FBI. Both the FBI and Homeland Security have indicated that they are aware of, and have been investigating, this particular group of criminals who operate worldwide. We will be sharing information as we proceed. We are working 24 x 7 with the forensic specialists to review all affected systems. While this is being completed, they are also working with us to identify ways to securely rebuild processes and restore functionality. There are many steps involved in the recovery from this cyber-attack. At this time, we are not able to give you a date when we will be fully operational or when connectivity and all of your services will be restored. You will be kept informed by a daily update. Finally, we are working on methods for you to be able to continue to at least manually process transactions. These will be provided in additional communications once we work out the details. Cott Systems exists to serve you. We acknowledge that time is of the essence and this is an emergency situation. Please accept our sincere apologies for the impact that this cyber-attack is having on your office. Thank you, |
|
| | Customer Support| Cott Systems
Cott Systems, Inc.|2800 Corporate Exchange Dr., Ste.300|Columbus, OH 43231
o) 800-588-2688 M-F 7am-6pm Eastern|f) 866-540-1072|e) support@cottsystems.com | | |
Tags:
county clerk
cyber
cybersecurity
Permalink
| Comments (0)
|
|
Print Page
Blog Home
All Blogs
RSS