NYDFS Charges First Company for Violating Its Cybersecurity Regulation
NYDFS made its first enforcement action around its Cybersecurity Regulation, 23 NYCRR 500, alleging errors and deficient controls led to a breach at an insurance company.
It took over three years but the New York Department of Financial Services (NYDFS) has finally filed a statement of charges against a company for failing to adhere to its Cybersecurity Regulation.
The NYDFS' Cybersecurity Regulation (23 NYCRR 500) is a series of regulations that impose requirements on financial institutions that operate under the department's guidance. Banks, mortgage companies, insurance companies, etc. are required to develop and have in place a cybersecurity policy and incident response plan that prioritizes customer data privacy and risk assessment.
The department announced last week that it was filing charges against a popular title insurance company, First American Title Insurance Company, in connection to a breach the company experienced back in 2018. That breach resulted in the exposure of more than 850 million customer records, including sensitive data like individuals' Social Security numbers, mortgage and tax records, driver's license images, and bank account numbers and statements.
News of the breach broke in May 2019; later that summer it was made clear that federal regulators, namely the U.S. Securities and Exchange Commission's (SEC) Division of Enforcement, was looking into the breach to see if any federal securities laws were broken.
According to the NYDFS, First American made several missteps that contributed to the breach, especially the fact that it failed to fix vulnerabilities it identified in a 2018 penetration test.
In all, First American violated six provisions of NYDFS’ Cybersecurity Regulation. The company:
- Failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
- Misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;
- Failed to conduct a reasonable investigation into the scope and cause of data exposure uncovered by a December 2018 penetration test, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
- Failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
Specifically, NYDFS claims First American violated the following provisions:
1. 23 NYCRR 500.02: The requirement to maintain a cybersecurity program that is designed to protect the confidentiality, integrity and availability of the covered entity’s information systems, and which is based on the covered entity’s risk assessment
2. 23 NYCRR 500.03: The requirement to maintain a written policy or policies, approved by senior management, setting forth the covered entity’s policies and procedures for the protection of its information systems and the NPI stored on those systems
3. 23 NYCRR 500.07: The requirement to limit user access privileges to information systems that provide access to NPI and periodically review such access privileges
4. 23 NYCRR 500.09: The requirement to conduct a periodic risk assessment of the covered entity’s information systems to inform the design of its cybersecurity program
5. NYCRR 500.14(b): The requirement to provide regular cybersecurity awareness training for all personnel as part of the covered entity’s cybersecurity program, and to update such training to reflect risks identified by the covered entity in its risk assessment
6. NYCRR 500.15: The requirement to implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit over external networks and at rest
The department is alleging that the errors, coupled with a lack of controls, and other holes in its cybersecurity practices led to its data being exposed.
While some elements of the regulation didn't fully go in effect until March 2019, the bulk of the Cybersecurity Regulation became effective in March 2017. Up until now, there's been no enforcement actions from the department.
A hearing around the charges isn't scheduled until late October, so it's unclear exactly what the charges will amount to; the department is reportedly seeking civil monetary penalties, something the Cybersecurity Regulation allows under Section 408 of the Financial Services Law.
According to NYDFS, any violation of Section 408 carries a penalty of $1,000 per violation; on top of that "each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation."
NYDFS hinted that there could be increased scrutiny around violations of its Cybersecurity Rule last year, when it formed a new division, the Consumer Protection and Financial Enforcement Division, to respond to cybersecurity events and enforce policy around financial crimes.