Last month, the Financial Services Information Sharing and Analysis Center[1] (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic.  In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020.  As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information.

According to FS-ISAC, it identified a more than one-third increase in phishing attempts by cybercriminals against financial firms during the first quarter of 2020.  FS-ISAC noted that much of this increase appears related to attempts to exploit vulnerabilities created by firms adopting remote work arrangements to combat the pandemic and the use of fraudulent pandemic aid sites.  Due to these remote work arrangements, business operations may be conducted outside of financial institutions’ protective firewalls, creating vulnerabilities.  Although authorities have worked to dismantle malicious websites immediately once discovered, FS-ISAC noted that illicit actors are creating new ones almost as quickly as they are removed.

When state governments began issuing stay-at-home orders in response to the pandemic, many financial regulators issued cybersecurity guidance and alerts to the firms they regulate.  In one case, the New York Department of Financial Services (“DFS”) issued an Industry Letter to all of its regulated institutions warning of risks created by remote working arrangements and increased risks of phishing and fraud attempts during the pandemic.  Given the findings announced by FS-ISAC, it appears DFS’s warnings were well founded.

As financial institutions continue to adjust to remote work arrangements, and in some instances, look to return to the office as states roll back work-from-home orders, the FS-ISAC report is further evidence of the need to take cybersecurity risks seriously.  While the full scope of these risks is unclear, it is evident that illicit actors are indeed seeking to capitalize on the vulnerabilities created by firms’ adjustments to the COVID-19 pandemic.  Further, as DFS reminded firms in its Industry Letter, not only are such attacks a risk to their operations and to their customers, but also to their regulatory compliance obligations.[2]  With this in mind, firms should actively look to alert, educate, and aid their employees in mitigating the risks of cyberattacks.

[1] FS-ISAC is an industry consortium of nearly 7,000 member financial institutions and over 15,000 users spread across over 70 jurisdictions.  The organization is dedicated to ensuring the resilience of the global financial services infrastructure and protecting firms against threats to the sector’s ability to perform critical services.

[2] See 23 N.Y.C.R.R. 500 et. seq.  Under New York DFS’s cybersecurity regulations, regulated financial entities are obligated to create both a Cybersecurity Program and Cybersecurity Policy and to report and promptly address all Cybersecurity Events to DFS.