NYDFS Issues First Cybersecurity Charges

  • Source: dfs.ny.gov

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On July 22, 2020 the New York State Department of Financial Services (NYSDFS) filed its First Cybersecurity Enforcement Action against a leading title insurance provider for exposing millions of documents with consumer’s personal information. These charges are the first to be filed against the title insurance provider, alleging violations of NYSDFS’ Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.

For firms who have not taken their cybersecurity controls seriously, this is a game-changer.

Chief Information Security Officers (CISO) and their teams need to be ready to demonstrate compliance with cybersecurity regulations and be ready for a thorough look at the underlying processes by the regulators. Do you want to be the next headline?

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively and to prepare for more in-depth regulatory exams which inevitably are coming soon.

Article Highlights:

  • NYSDFS alleges that a vulnerability in their information systems resulted in exposure of consumers’ sensitive personal information over the course of several years, and they failed to remedy the exposure promptly after it was discovered in December 2018.
  • NYSDFS alleges multiple failures in their handling of this extraordinary data exposure of sensitive consumer information, including:
  • Failing to follow their own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
  • Misclassifying the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by their own internal cybersecurity policies;
  • After the data exposure was discovered by an internal penetration test in December 2018, they failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
  • They failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.

NYSDFS alleges that these errors, deficient controls, and other flaws in their cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered. According to the statement of charges, six (6) provisions of the Cybersecurity Part 500 Regulation were violated.

Regulators will now look even more closely at how firms have implemented regulatory driven cybersecurity controls and in particular, Board and senior management oversight.