First Charges Filed Under NYDFS Cybersecurity Regulations

First Charges Filed Under NYDFS Cybersecurity Regulations

On July 21, 2020, The New York State Department of Financial Services (NYDFS) filed its first charges under its Cybersecurity Regulation, 23 NYCRR Part 500 (Cybersecurity Regulation), which went into full effect March 2019. The Cybersecurity Regulation requires financial institutions regulated by the NYDFS to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of non-public information (NPI) maintained on their information systems. Covered institutions are also required to maintain policies and procedures designed to protect the privacy of consumer data they maintain.

Here is what we currently know about the NYDFS charges:

NYDFS alleges the Firm, which is one of the largest title insurance providers in the country, did not maintain internal controls adequate to protect the NPI it maintained. During a period from at least October 2014 through May 2019, millions of documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images were allegedly exposed on the Firm’s public-facing website. NYDFS claims the vulnerability was introduced as part of an application update in May 2014 and that it remained undetected for years until it was identified during internal penetration testing conducted in December 2018[1]. The charges further allege that after the vulnerability was discovered, 1) the Firm neglected to conduct an appropriate security review and risk assessment of the security flaw and the NPI exposed, even though its internal cybersecurity team recommended conducting further investigation; 2) the vulnerability was inappropriately classified as “low” severity[2]; 3) the Firm failed to conduct a reasonable investigation into the scope and cause of the exposure; and 4) the Firm failed to investigate the vulnerability within the timeframe defined by its internal cybersecurity policies.

The Firm has stated that it “strongly disagrees” with the NYDFS charges, and a hearing has been scheduled to determine whether the alleged violations occurred and to determine whether civil monetary penalties or relief will be levied and/or provided. Each exposed record is considered a separate violation of the Cybersecurity Regulation, which carries a maximum penalty of $1,000 per record. This case shows that the NYDFS intends to aggressively pursue and enforce what it believes to be violations of its Cybersecurity Regulation.

It is important to note that even though NYFDS alleges consumer NPI was exposed, as of yet there are no allegations of a data breach nor is there any indication that any individuals have been harmed as a result of the alleged violations. In a similar case from 2015, the Securities and Exchange Commission (SEC) filed similar charges against an investment adviser for failing to adopt policies and procedures reasonably designed to protect its customer records and information; those charges were brought under Regulation S-P (the “Safeguards Rule”) [3]. In that case, the SEC claimed the adviser’s alleged failures led to the exposure of over 100,000 individuals’ personally identifiable information (PII). While the SEC acknowledged that at the time of the enforcement action there were no indications of any client having suffered financial harm as a result of the breach, the adviser was still censured and fined $75,000. It will be interesting to see how this first NYDFS case plays out, and to see how aggressive NYDFS will be with enforcement actions going forward.

To speak with one of our Cybersecurity experts on penetration testing services, dark web monitoring and assistance in compliance with NYDFS, please email cybersecurity@cssregtech.com.

[1] Penetration tests are simulated attacks on computer systems to determine whether identified vulnerabilities can be exploited and used to gain access to sensitive or confidential information.

[2] Vulnerabilities are classified into five buckets (Informational, Low, Medium, High, and Critical) based on the potential for disruption to computer systems and/or risks related to information access.

[3] Regulation S-P’s requirements for data protection are much vaguer than the requirements set forth by NYDFS, which provides much more prescriptive measures regulated firms must undertake.