NYDFS has made its 1st enforcement action in connection with its Cybersecurity Regulation, 23 NYCRR 500, alleging errors & deficient controls led to a breach at an insurance company.
After over 3 years, the New York Department of Financial Services (NYDFS) has at last filed a ‘statement of charges’ against a company for failing to follow to its Cybersecurity Regulation.
23 NYCRR 500
The NYDFS’ Cybersecurity Regulation (23 NYCRR 500) is a series of rules that impose requirements on financial institutions that operate under the department’s guidance.
Banks, mortgage companies, insurance companies, etc. have to develop & have in place a cyber-security policy, & incident response plan, that prioritises customer data privacy & risk assessment.
The Department announced last week that it was filing charges against a popular title insurance company, First American Title Insurance Company, connected with a breach the company underwent in 2018.
That breach resulted in the potential compromise of more than 850m customer records, including sensitive data like individuals’ US Social Security numbers, mortgage & tax records, driver’s license images, & bank account numbers & statements.
Information about the breach appeared in May 2019, & later last summer it was noted that federal regulators, the US Securities & Exchange Commission’s (SEC) Division of Enforcement, was ‘examining’ the breach to ascertain if any Federal securities laws were broken.
Says the NYDFS, First American made some mistakes that contributed to the breach, particularly that it failed to fix vulnerabilities it identified in a 2018 penetration test.
First American in all broke 6 provisions of NYDFS’ Cybersecurity Regulation. The company:
- Failed to follow its own policies, neglecting to conduct a security review & a risk assessment of the flawed computer program & the sensitive data associated with the data vulnerability.
- Misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cyber-security policies.
- Failed to conduct a reasonable investigation into the scope & cause of data exposure uncovered by a December 2018 penetration test, reviewing only 10 of the millions of documents exposed & thereby grossly underestimating the seriousness of the vulnerability: and
- Failed to follow the recommendations of its internal cyber-security team to conduct further investigation into the vulnerability.
NYDFS maintains First American violated the following provisions:
- 23 NYCRR 500.02: The requirement to maintain a cyber-security program that is designed to protect the confidentiality, integrity & availability of the covered entity’s information systems, & which is based on the covered entity’s risk assessment
- 23 NYCRR 500.03: The requirement to maintain a written policy or policies, approved by senior management, setting forth the covered entity’s policies & procedures for the protection of its information systems & the NPI stored on those systems
- 23 NYCRR 500.07: The requirement to limit user access privileges to information systems that provide access to NPI & periodically review such access privileges
- 23 NYCRR 500.09: The requirement to conduct a periodic risk assessment of the covered entity’s information systems to inform the design of its cyber-security program
- NYCRR 500.14(b): The requirement to provide regular cyber-security awareness training for all personnel as part of the covered entity’s cyber-security program, & to update such training to reflect risks identified by the covered entity in its risk assessment
- NYCRR 500.15: The requirement to implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit over external networks & at rest
The department says that the errors, linked to a lack of controls, & other ‘holes’ in its cyber-security practices led to its data being exposed.
Although some elements of the regulation did become fully active until March 2019, most of the Cyber-security Regulation became effective in March 2017. Up until now, enforcement actions from the department have been nil.
A hearing about the charges is not scheduled until late Oct., so it is unclear exactly what the charges will be; the department is supposedly seeking civil monetary penalties, something the Cyber-security Regulation allows under s.408 of the Financial Services Law.
According to NYDFS, any violation of s.408 carries a penalty of $1,000 per offence; also “each instance of Non-Public Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”
NYDFS hinted that there could be increased scrutiny around violations of its Cybersecurity Rule last year, when it created a new division, the ‘Consumer Protection & Financial Enforcement Division’, to deal with cyber-security events, & enforce policy around financial crime.