The New York State Department of Financial Services (DFS) implemented cybersecurity regulations (the DFS Regulations) in 2017 which provided for a transitional two-year period before all the provisions were effective. The DFS Regulations require a comprehensive cybersecurity program for “Covered Entities” including appointing a chief information security officer, undertaking periodic risk assessments, maintaining a cybersecurity program that includes access controls, network security assessment, disaster recovery planning and attendant policies and procedures. A certificate of compliance must be filed annually with DFS. The DFS Regulations can be found here.
Shortly after the DFS Regulations were fully effective last year, DFS announced the formation of a Cybersecurity Division, led by a former federal cybersecurity crime prosecutor, to lead enforcement efforts focused on compliance with the DFS Regulations. On July 21. 2020, DFS commenced its first enforcement action under the DFS Regulations against First American Title Insurance Company. The enforcement action, which is detailed later in this information memorandum, is serious evidence of DFS’ intention to hold Covered Entities responsible for compliance with the DFS Regulations.
Who is a Covered Entity?
All businesses operating in New York under a license, registration, charter, certificate, permit or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law must comply with the DFS Regulations. The list of businesses that must comply is a lengthy one and includes banks, credit unions, insurance adjusters, bail agents, credit reporting agencies, health service providers, insurance agencies, insurance companies, service contract providers and student loan servicers. A full list of businesses supervised by DFS can be found here.
Importantly, the DFS Regulations require Covered Entities to have written policies and procedures designed to ensure that their third-party vendors have appropriate security protections of their information systems and nonpublic information (23 NYCRR 500.11). Therefore, any service vendor to any Covered Entity must ensure that its cybersecurity program complies with what is required by the Covered Entity. It is expected that the Covered Entity will require provisions identical to, or substantially the same as, the DFS Regulations since the Covered Entity will be responsible for any data breach by a vendor having access to its nonpublic information.
Enforcement of DFS Regulations
In its first enforcement action under the DFS Regulations, DFS alleges that First American Title Insurance Company violated numerous requirements of the DFS Regulations. Specifically, DFS alleges that First American failed to assess, and then address, known vulnerabilities in its document management system which exposed millions of documents containing nonpublic information. According to the Statement of Charges and Notice of Hearing, First American’s web-based title document delivery system was accessible through a website link shared among parties to a transaction, and users were not required to verify their identities. As a result, nonpublic information contained in transaction documents, including bank account numbers, social security numbers and driver’s license images, were accessible by anyone with a web browser who was given access to the website link. First American’s cybersecurity team discovered the vulnerability in December 2018 but allegedly failed to take adequate steps to remediate the vulnerability.
In its Statement of Charges, DFS states that First American failed to follow its own cybersecurity risk assessment of the document management system and then underestimated the level of risk associated with the vulnerability once it was identified. This led to a series of follow-on violations in First American’s actions related to the speed and proficiency with which First American addressed the vulnerability.
DFS is seeking civil monetary penalties that could amount to millions of dollars in liability to First American. A hearing on the charges is expected later this month.
Considerations for Businesses
For businesses that are Covered Entities and vendors of services to those Covered Entities which have access to nonpublic information, the DFS’s initial enforcement action is proof that the DFS Regulations are to be followed closely. With the creation of its Cybersecurity Division, DFS has the resources needed to monitor Covered Entities for compliance. Businesses should expect that cybersecurity will remain a key priority for DFS this year.
Core to the DFS Regulations are the requirement to conducting a thorough risk assessment of information systems and to institute internal controls sufficient to identify and mitigate all vulnerabilities. Once vulnerabilities are identified, corrective action must be taken in a timely manner.
For those businesses which have now filed their first Certificate of Compliance but have been scrambling on ensuring their own cybersecurity program meets the DFS Regulations, they must make sure attention is given to third-party service providers who store or have access to their nonpublic information. The DFS Regulations require that the Covered Entity develop minimum cybersecurity practices required to be met by the vendor, undertake due diligence of the vendor’s cybersecurity practices and periodically reassess them. Additionally, if access to the Covered Entity’s system is needed by the vendor, multi-factor authentication is required.