The New York Department of Financial Services (NYDFS) issued its first charges for violations against 23NYCRR500 cybersecurity regulations. Industry experts and legal professionals expect this trend to continue as the NYDFS identifies additional noncompliant financial and insurance services companies operating with customers in the State.
23NYCRR500 Cybersecurity Legislation Background
In March of 2017, the New York Department of Financial Service (NYDFS) enacted one of the first enforced statewide cybersecurity regulations known as 23NYCRR500. The purpose of the law was to enact regulatory minimum standards for businesses practicing in the financial services and insurance industries in the state. The law states “A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect is customers.” The law carries a heavy focus on the protection of “non-public information”. Recently the NYDFS has issued violations against 23NYCRR500 cybersecurity regulations.
Although the law is spearheading the way for other states and regulatory bodies, the contents and regulations themselves are nothing groundbreaking. The law models similar cybersecurity frameworks and objects that are common knowledge in the fields of cybersecurity standardization and best practices.
First American Title Insurance Company is First
In July of 2020, NYDFS issued its first statement of charges and notice of hearing against First American Title Insurance Company (First American) for failing to adequately protect non-public information and non-adherence to 23NYCRR500 cybersecurity regulation. Also, First American failed to follow their policies and procedures which is a direct reflection of missing due care best practices.
What went wrong?
First American heavily relies on two systems to conduct business: FAST and EaglePRO. As part of customer transactions, records including PII are collected in an application to purchase title insurance. Numerous other entities collect and submit non-public information from the customer to assist in the completion of these transactions. As part of it’s business process, First American collects and shares this data internally and external through a set of web applications. A document repository, known as FAST, facilitates the storage of these documents. The web application EaglePRO allows the sharing of documents in FAST with outside parties. This web application emails links to these documents when transactions are created, initiated, and completed.
In 2014, a system update was applied to EaglePro that introduced a vulnerability where anyone with a link to a document could bypass authentication mechanisms and access the document. Tampering with the link could also lead to the exposure of other documents as one of the link parameters was sequential and could be manipulated easily. Furthermore, these URLs contained no expiration date and could be accessed for years.
The Problem: Vulnerabilities, Mismanagement, Communication
In December of 2018, an internal cybersecurity team, known as the Cyber Defense Team (CDT), conducted a penetration test on the EaglePro web application. Through this exercise, the above-mentioned vulnerability was identified. The team alerted the EaglePro application developers regarding the vulnerability and recommended that the vulnerability be “addressed as soon as possible”.
A series of miscommunications, lack of follow-through, and general mismanagement lead to continued exposure of data through the vulnerability. Although management was aware of the vulnerability, the severity was downplayed, remediation was mismanaged, and management denied the presence of non-public information exposed in the vulnerability. The vulnerability remained unaddressed until a security researcher published articles exposing the leaked data. Only then, did management act to remediate the issues.
Breaking Down the Mistakes
In the next blog post, we’ll break down specific mistakes highlighted in the “Notice of Charges” document published by the NYDFS. If you’d like to read a technical breakdown of the scenario, the document can be accessed here.
Start Here
One of the foundational concepts continually mentioned in 23NYCRR500 is a Risk Assessment, as well as making decisions about the cybersecurity program and protections based off the risk assessment results. Conducting a risk assessment can be difficult and knowing how to act on the results can be even further challenging. Working with Rhodian will alleviate those challenges and get your cybersecurity program on track to reducing risk and remaining compliant.
