Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:
- Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
- Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
- Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
- Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
- Recruit and hire employees with cybersecurity experience.
- Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.
On November 17, NYDFS announced a partnership with a non-profit company to provide a free cybersecurity toolkit to small businesses, including those in the financial services sector. The toolkit is intended to help small businesses strengthen their cybersecurity and to protect themselves and their customers from growing cyber threats. Operational tools and educational resources covered in the toolkit address “identifying hardware and software, updating defenses against cyber threats, strengthening passwords and multi-factor authentication, backing up and recovering data, and protecting email systems.” NYDFS’ partnership with the company also includes the development of a set of sample policies based on cybersecurity best practices to help small businesses install necessary governance and procedures. The sample policies include, among other things, a risk assessment and a sample third-party service provider policy. NYDFS advises small businesses to “review the tools and sample policies and to adapt them to their specific business risks and operations, including to comply with any applicable state and federal laws.”
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social media companies. The investigation, which was requested by New York Governor Andrew Cuomo, determined, among other things, that (i) the social media hackers obtained log-in credentials from four employees by pretending to be from the company’s IT department; (ii) the hackers stole over $118,000 worth of bitcoin from consumers by tweeting “double your bitcoin” with a link to send bitcoin payments from celebrity accounts and several bitcoin companies; (iii) certain Department-regulated cryptocurrency companies blocked attempted transfers to the hacker’s addresses; and (iv) the social media company lacked adequate cybersecurity protection, including not having “a chief information security officer, adequate access controls and identity management, and adequate security monitoring.” The report recommends that the largest social media companies be designated as “systemically important institutions” subject to an analogue council of the Financial Stability Oversight Council. The report suggests the social media companies should be subject to enhanced regulation, including “stress test” scenarios covering cyberattacks and election interference.
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’ cybersecurity regulation (23 NYCRR Part 500), which took effect in March 2017 and established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) Charges filed against the company allege that a “known vulnerability” in the company’s online-based data storage platform was not fixed, which allowed unauthorized users to access restricted documents from roughly 2014 through 2019 by changing the ImageDocumentID number in the URL. Although an internal penetration test (i.e., an authorized simulated cyberattack) discovered the vulnerability in December 2018, NYDFS claims that the company did not take corrective action until six months later, when a well-known journalist publicized the problems.
The company allegedly violated six provisions of 23 NYCRR Part 500, including failing to (i) conduct risk assessments for sensitive data stored or transmitted within its information systems; (ii) maintain appropriate, risk-based policies governing access controls to sensitive data; (iii) limit user-access privileges to information systems providing access to sensitive data, or periodically reviewing these access privileges; (iv) implement a risk assessment system to sufficiently identify the availability and effectiveness of controls for protecting sensitive data and the company’s information system; (v) provide adequate data security training for employees and affiliated title agents responsible for handling sensitive data; and (vi) encrypt sensitive documents or implement suitable controls to protect sensitive data. Additionally, NYDFS maintains that, among other things, the company misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by the company’s internal cybersecurity policies, and did not conduct a reasonable investigation into the exposure or follow recommendations made by its internal cybersecurity team.
A hearing is scheduled for October 26 to determine whether violations occurred for the company’s alleged failure to safeguard consumer information.
On April 13, the New York Department of Financial Services issued guidance on cybersecurity awareness during the Covid-19 pandemic. The guidance identifies three areas of heightened risk: (i) remote working, including the risks associated with less secure internet connections, expanded use of less secure personal devices, increased use of video and audio-conferencing applications, and use of unauthorized personal accounts and applications to transmit non-public information; (ii) increased online phishing and fraud attempts; and (iii) increased risk to third party vendors. In accordance with the DFS’s cybersecurity regulation, all regulated entities are instructed to assess these risks and address them appropriately.
On January 4, NYDFS issued an Industry Letter warning regulated entities about the “heightened risk” of cyberattacks by hackers affiliated with the Iranian government following the killing of Iranian official Qasem Soleimani, and strongly encouraging entities to undertake preparations to ensure quick responses to any suspected cyber incidents. Specifically, NYDFS recommends that regulated entities (i) patch/remediate all vulnerabilities (especially publicly disclosed vulnerabilities); (ii) ensure employees are adequately able to handle phishing attacks; (iii) “fully implement multi-factor authentication”; (iv) “review and update disaster recovery plans”; (v) and quickly respond to further alerts from the government or other reliable sources, even outside regular business hours. The letter notes that NYDFS’ cyber regulation 23 NYCRR 500.17 (previously covered by InfoBytes here), requires regulated entities to notify NYDFS “‘as promptly as possible but in no event later than 72 hours’ after a material cybersecurity event.”
- John R. Coleman to discuss “CFPB update” at the MBA Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State licensing and NMLS challenges" at MBA’s Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Fair lending and equal opportunity laws” at the MBA Legal Issues and Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss “Contemplating the boundaries of UDAAP” at the MBA Legal Issues and Regulatory Compliance Conference
- Steven vonBerg to speak at closing “super session“ on compliance topics at MBA Legal Issues and Regulatory Compliance Conference
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference