- Source: dfs.ny.gov
Treliant helps firms prepare for compliance with regulatory guidance and expectations. On February 16, 2021 – The New York State Department of Financial Services (“DFS”) issued a cybersecurity fraud alert (“Alert”) to all of its regulated entities. The Alert described a widespread cybercrime campaign to steal consumers’ nonpublic information (“NPI”) from public-facing websites that transmit or display redacted NPI.
On March 30, 2021, DFS issued a “Cyber Fraud Alert Follow-Up” Industry Letter to the February 16th Alert, because they have received many additional reports of data theft.
Cybercriminals have continued to use the methods described in the February 16th Alert to steal NPI, as well as the following hacking methods:
- Using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and
- Credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI.
This cybercrime campaign is a serious threat to the personal information and all personal lines insurers and other financial services companies are urged to take aggressive action to prevent the further loss of consumer information.
Industry Letter Highlights:
- The Alert urges personal lines insurers and other financial services companies to avoid displaying prefilled NPI on public-facing websites considering the serious risk of theft and consumer harm.
- Insurance Agent portals should be protected by the robust access controls required by DFS’s cybersecurity regulation.
- DFS reminds its regulated entities to immediately report to DFS theft of consumers’ NPI, pursuant to its cybersecurity regulation.
1. Exploitation of Data Prefill Systems
- Hackers are exploiting vulnerabilities in the code of data prefill systems used in Instant Quote Websites.
- Cybercriminals are using credential stuffing to gain access to insurance agents’ accounts. Once logged-in as an agent, they can request information from data prefill systems and receive unredacted NPI.
2. Other Cyber Fraud Methods Used to Obtain NPI
- The social engineering reports are of “vishing” – eliciting sensitive data from insurance agents over the phone.
- Cybercriminals are also repeatedly purchasing insurance policies with eChecks and/or stolen credit and debit card information to view policyholders’ NPI.
3. What to do
- Covered entities that maintain any public-facing website that displays or transmits NPI should also take the following steps:
- Disable prefill of redacted NPI especially on public-facing websites.
- Install Web Application Firewall (WAF) to help protect websites from malicious attacks and exploitation of vulnerabilities
- Implement Completely Automated Public Turing Tests (“CAPTCHA”) to attempt detecting and blocking automated programs or “bots”.
- Improve Access Controls for Agent Portals using Multifactor Authentication (MFA), a robust password policy and limit login attempts.
- Employees and agents should be trained to identify social engineering attacks.
- Limit access to NPI
- Auto insurers should consider waiting until an eCheck, credit card, or debit card payment has been cleared by the issuing bank before generating an online policy and granting the policyholder access to NPI.
- Protect NPI received from data vendors.
Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively to comply with DFS’ Cybersecurity regulations and to prepare for upcoming in-depth regulatory exams.