In July 2020, the New York State Department of Financial Services (NYDFS) filed the first enforcement action under the new NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), against a leading title insurance provider. Part 500, which went into effect in March 2019, is a set of regulations that places new cybersecurity requirements on financial institutions regulated by NYDFS. Pursuant to Part 500, covered financial institutions must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of non-public information (NPI). Covered entities must also maintain policies and procedures to protect the privacy of consumer data.
The Statement of Charges filed by NYDFS alleged that the organization did not maintain adequate internal controls to protect NPI and exposed numerous documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. More specifically, NYDFS alleged that a “known vulnerability” in their information systems resulted in exposure of NPI via the company’s public-facing website. According to the Statement of Charges, the organization updated an internal system and inadvertently created access to loan documents — without any login or authentication — through a public URL. NYDFS also alleged that an internal penetration test identified the vulnerability in December 2018, but the organization failed to properly and timely remediate it.
Why are we sharing this story? Because every business needs to take security seriously. We are well past the times of saying “We didn’t know,” “It will not happen to our company,” “We don’t have private information,” “That regulation does not apply to us” (every state has privacy regulations), or “We should be fine.” You need to be in a confident, defensible position to say, “We verified internally and then re-verified with a third party to ensure we keep PII and NPI well protected as per regulatory compliance.” Not being able to prove and say this means you could be exposed.
What Should You Do Now?
- Verify your current state. Challenge your business owners to see if they know and how they are asking IT and Security to protect the data “they” own.
- Self-assess. Create your own internal audit to verify your security and data protection practices in a holistic sense.
- Call GDT to run a security risk and gap analysis specific to your business and data types you possess.
- GDT will identify the risks, define a remediation plan that can be efficiently executed. Do not worry if your team does not have the time or skills to remediate. GDT can do that for you if you so choose.
- Schedule GDT to run your gap analysis every six months so you can maintain your compliant state and your legal team and executives can be confident in your defensible posture that is safe and secure.
Staying compliant with regulations is NOT a one-time or point-in-time status. It should be taken as an everyday commitment. A commitment to your clients, partners and your employees that your business will transact in a safe, secure, diligent, and consistent way. A commitment to not enable risk and reputational damages that may be unrecoverable. A commitment to run your daily operations securely, not just once a year when there is an audit or, worse, to act when something goes wrong.