First Charges Filed Under NYDFS Cybersecurity Regulations

On July 21, 2020, The New York State Department of Financial Services (NYDFS) filed its first charges under its Cybersecurity Regulation, 23 NYCRR Part 500 (Cybersecurity Regulation), which went into full effect March 2019. The Cybersecurity Regulation requires financial institutions regulated by the NYDFS to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of non-public information (NPI) maintained on their information systems. Covered institutions are also required to maintain policies and procedures designed to protect the privacy of consumer data they maintain.

Here is what we currently know about the NYDFS charges:

NYDFS alleges the Firm, which is one of the largest title insurance providers in the country, did not maintain internal controls adequate to protect the NPI it maintained. During a period from at least October 2014 through May 2019, millions of documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images were allegedly exposed on the Firm’s public-facing website. NYDFS claims the vulnerability was introduced as part of an application update in May 2014 and that it remained undetected for years until it was identified during internal penetration testing conducted in December 2018[1]. The charges further allege that after the vulnerability was discovered, 1) the Firm neglected to conduct an appropriate security review and risk assessment of the security flaw and the NPI exposed, even though its internal cybersecurity team recommended conducting further investigation; 2) the vulnerability was inappropriately classified as “low” severity[2]; 3) the Firm failed to conduct a reasonable investigation into the scope and cause of the exposure; and 4) the Firm failed to investigate the vulnerability within the timeframe defined by its internal cybersecurity policies.

The Firm has stated that it “strongly disagrees” with the NYDFS charges, and a hearing has been scheduled to determine whether the alleged violations occurred and to determine whether civil monetary penalties or relief will be levied and/or provided. Each exposed record is considered a separate violation of the Cybersecurity Regulation, which carries a maximum penalty of $1,000 per record. This case shows that the NYDFS intends to aggressively pursue and enforce what it believes to be violations of its Cybersecurity Regulation.

It is important to note that even though NYFDS alleges consumer NPI was exposed, as of yet there are no allegations of a data breach nor is there any indication that any individuals have been harmed as a result of the alleged violations. In a similar case from 2015, the Securities and Exchange Commission (SEC) filed similar charges against an investment adviser for failing to adopt policies and procedures reasonably designed to protect its customer records and information; those charges were brought under Regulation S-P (the “Safeguards Rule”) [3]. In that case, the SEC claimed the adviser’s alleged failures led to the exposure of over 100,000 individuals’ personally identifiable information (PII). While the SEC acknowledged that at the time of the enforcement action there were no indications of any client having suffered financial harm as a result of the breach, the adviser was still censured and fined $75,000. It will be interesting to see how this first NYDFS case plays out, and to see how aggressive NYDFS will be with enforcement actions going forward.

To speak with one of our Cybersecurity experts on penetration testing services, dark web monitoring and assistance in compliance with NYDFS, please email cybersecurity@cssregtech.com.

[1] Penetration tests are simulated attacks on computer systems to determine whether identified vulnerabilities can be exploited and used to gain access to sensitive or confidential information.

[2] Vulnerabilities are classified into five buckets (Informational, Low, Medium, High, and Critical) based on the potential for disruption to computer systems and/or risks related to information access.

[3] Regulation S-P’s requirements for data protection are much vaguer than the requirements set forth by NYDFS, which provides much more prescriptive measures regulated firms must undertake.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued

EU Position Limits: Born in the USA?

This is the second installment of Regulatory Guidance Expert Greg Hotaling’s blog on position limits, this time addressing EU-listed commodity derivatives and related products.  As always, keep in mind that these limits can apply to asset managers, and other market participants, regardless of where they are based. In 2009, the European Union’s first comprehensive position … Continued