Treliant Takeaway…NYDFS Cybersecurity Fraud Alert

Cybersecurity & Privacy

Department of Financial Services Announces Cybersecurity Fraud Alert

  • Source: dfs.ny.gov

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On February 16, 2021 – The New York State Department of Financial Services (“DFS”) issued a cybersecurity fraud alert (“Alert”) to all of its regulated entities.  The Alert describes a widespread cybercrime campaign to steal consumers’ nonpublic information (“NPI”) from public-facing websites that transmit or display redacted NPI.

DFS received reports from several regulated entities of successful or attempted data theft from websites that provide instant quotes – for example, auto insurance rate quotes – using NPI and displaying some redacted NPI back to the consumer to fraudulently apply for pandemic and unemployment benefits.

On February 4, 2021, DFS issued its first-in-the-nation Cybersecurity Insurance Framework, building on DFS’s longstanding work fostering a strong and resilient insurance market that protects New Yorkers. The Framework outlines industry best practices for New York-regulated property/casualty insurers that write cyber insurance to effectively manage their cyber insurance risk. Covered entities who have not taken cybersecurity controls seriously including cybersecurity insurance should begin or continue to revisit this process.

Press Release Highlights:

  • The Alert summarizes techniques used by cybercriminals and outlines cybersecurity measures to better protect consumer data.
  • All DFS-regulated entities with public-facing websites that transmit or display NPI – even redacted NPI – should review the findings and recommendations in the Alert.
  • DFS reminds its regulated entities to immediately report to DFS theft of consumers’ NPI, pursuant to its cybersecurity regulation.
  • The Alert furthers DFS’s commitment to improving cybersecurity to protect consumers and the industry.
  • Covered entities that maintain any public-facing website that displays or transmits NPI should also take the following steps:
  • Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
  • Review public-facing websites for browser web developer tool functionality. Verify and, if possible, limit the access that users have may have to adjust, deface, or manipulate website content using web developer tools on the public-facing websites.
  • Review and confirm that its redaction and data obfuscation solution for NPI is implemented properly throughout the entire transmission of the NPI until it reaches the public-facing website.
  • Ensure that privacy protections are up to date and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
  • Search and scrub public code repositories for proprietary code.
  • Block the IP addresses of the suspected unauthorized users and consider a quote limit per user session.

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively and to prepare for more in-depth regulatory exams which inevitably are coming soon.