Daily Update (Cybersecurity Edition)

NYDFS Issues Guidance on Cybersecurity, Sanctions Compliance and Virtual Currency Controls Amid Rising Geopolitical Tensions

NYDFS warns that escalating geopolitical conflict “significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns.” The Department directs regulated entities to take certain steps in relation to their technical and organizational data security measures, including:

—Re-examine enterprise-wide risk assessments “to account for recent changes in the cyber-risk landscape.”

—Re-affirm the effectiveness of core controls required under 23 NYCRR Part 500, including multi-factor authentication, privileged access management, vulnerability management and restrictions on remote desktop protocol access.

—Review, update and test incident response and business continuity plans to specifically address “destructive” cyberattacks like ransomware attacks. Implement and update “risk-based controls” (e.g., endpoint detection and response, security information and event management) to identify and interdict “unauthorized or anomalous” network activity.

—Conduct full restoration tests from backups.

—Deliver enhanced cybersecurity-awareness training across the workforce.

The Guidance further reiterates the mandatory 72-hour notification window in 23 NYCRR § 500.17(a) and urges parallel reporting to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency. The Guidance encourages entities to verify that internal escalation procedures facilitate rapid notification of NYDFS and law enforcement regarding cyber incidents, supported by tabletop exercises and tested response playbooks.

One in Five Law Firms Hit by Cyberattacks Over Past 12 Months

One in five U.S. law firms were targeted in a cyberattack in the past year and nearly one in 10 lost data or suffered exposure, according to a comprehensive study by a Swiss tech company.

The numbers, which demonstrate the extent to which the industry has become vulnerable to increasingly ruthless cybercriminals, became apparent from a survey of 500 U.S. firms by Geneva-based Proton.

As well as the 8% of respondents, or 40 firms, that said they had lost data or suffered exposure, the survey found 65% weren’t familiar with their legal obligations around breach response and 42% said they weren’t sure if they’d recover from a cyberattack.

US Treasury Hacks Exposes Pattern of Federal Security Missteps, Report Finds

Cybersecurity woes are plaguing the US Treasury Department, deepening a rift between the agency responsible for protecting the integrity of the financial system and the banks it regulates.

Treasury has experienced three major hacks in the past five years, including two that have come to light since December. Meanwhile, its ranks of cybersecurity leaders have been decimated this year by departures pushed by Elon Musk’s Department of Government Efficiency, which the world’s richest person left in May.

Why Vanguard, Champion of Low-Fee Investing, Joined the ‘Private Markets’ Craze

Vanguard Group grew into a $10 trillion financial colossus by pioneering simple, ultralow-cost investing. Its wildly popular index funds proved that people don’t need expensive portfolio managers to pick their investments.

These days, the company’s most exciting new product is a striking departure from that playbook—a foray into the world of private markets, where investors pay steep fees for access to complex deals that promise high returns.

Wall Street is feverishly embracing private markets and Vanguard, like other giant money managers, wants a foothold in this booming business. A new fund it is developing with Blackstone and Wellington Management will offer a mix of public and private assets.