InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS issues Cybersecurity Insurance Risk Framework
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:
- Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
- Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
- Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
- Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
- Recruit and hire employees with cybersecurity experience.
- Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.
NYDFS announces cybersecurity toolkit for small businesses
On November 17, NYDFS announced a partnership with a non-profit company to provide a free cybersecurity toolkit to small businesses, including those in the financial services sector. The toolkit is intended to help small businesses strengthen their cybersecurity and to protect themselves and their customers from growing cyber threats. Operational tools and educational resources covered in the toolkit address “identifying hardware and software, updating defenses against cyber threats, strengthening passwords and multi-factor authentication, backing up and recovering data, and protecting email systems.” NYDFS’ partnership with the company also includes the development of a set of sample policies based on cybersecurity best practices to help small businesses install necessary governance and procedures. The sample policies include, among other things, a risk assessment and a sample third-party service provider policy. NYDFS advises small businesses to “review the tools and sample policies and to adapt them to their specific business risks and operations, including to comply with any applicable state and federal laws.”
NYDFS urges regulating social media companies following hacks
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social media companies. The investigation, which was requested by New York Governor Andrew Cuomo, determined, among other things, that (i) the social media hackers obtained log-in credentials from four employees by pretending to be from the company’s IT department; (ii) the hackers stole over $118,000 worth of bitcoin from consumers by tweeting “double your bitcoin” with a link to send bitcoin payments from celebrity accounts and several bitcoin companies; (iii) certain Department-regulated cryptocurrency companies blocked attempted transfers to the hacker’s addresses; and (iv) the social media company lacked adequate cybersecurity protection, including not having “a chief information security officer, adequate access controls and identity management, and adequate security monitoring.” The report recommends that the largest social media companies be designated as “systemically important institutions” subject to an analogue council of the Financial Stability Oversight Council. The report suggests the social media companies should be subject to enhanced regulation, including “stress test[]” scenarios covering cyberattacks and election interference.
NYDFS enforces its cybersecurity regulation for the first time
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’ cybersecurity regulation (23 NYCRR Part 500), which took effect in March 2017 and established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) Charges filed against the company allege that a “known vulnerability” in the company’s online-based data storage platform was not fixed, which allowed unauthorized users to access restricted documents from roughly 2014 through 2019 by changing the ImageDocumentID number in the URL. Although an internal penetration test (i.e., an authorized simulated cyberattack) discovered the vulnerability in December 2018, NYDFS claims that the company did not take corrective action until six months later, when a well-known journalist publicized the problems.
The company allegedly violated six provisions of 23 NYCRR Part 500, including failing to (i) conduct risk assessments for sensitive data stored or transmitted within its information systems; (ii) maintain appropriate, risk-based policies governing access controls to sensitive data; (iii) limit user-access privileges to information systems providing access to sensitive data, or periodically reviewing these access privileges; (iv) implement a risk assessment system to sufficiently identify the availability and effectiveness of controls for protecting sensitive data and the company’s information system; (v) provide adequate data security training for employees and affiliated title agents responsible for handling sensitive data; and (vi) encrypt sensitive documents or implement suitable controls to protect sensitive data. Additionally, NYDFS maintains that, among other things, the company misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by the company’s internal cybersecurity policies, and did not conduct a reasonable investigation into the exposure or follow recommendations made by its internal cybersecurity team.
A hearing is scheduled for October 26 to determine whether violations occurred for the company’s alleged failure to safeguard consumer information.
New York Department of Financial Services issues Covid-19 cybersecurity guidance
On April 13, the New York Department of Financial Services issued guidance on cybersecurity awareness during the Covid-19 pandemic. The guidance identifies three areas of heightened risk: (i) remote working, including the risks associated with less secure internet connections, expanded use of less secure personal devices, increased use of video and audio-conferencing applications, and use of unauthorized personal accounts and applications to transmit non-public information; (ii) increased online phishing and fraud attempts; and (iii) increased risk to third party vendors. In accordance with the DFS’s cybersecurity regulation, all regulated entities are instructed to assess these risks and address them appropriately.
NYDFS encourages regulated entities to prepare for cyber attacks
On January 4, NYDFS issued an Industry Letter warning regulated entities about the “heightened risk” of cyberattacks by hackers affiliated with the Iranian government following the killing of Iranian official Qasem Soleimani, and strongly encouraging entities to undertake preparations to ensure quick responses to any suspected cyber incidents. Specifically, NYDFS recommends that regulated entities (i) patch/remediate all vulnerabilities (especially publicly disclosed vulnerabilities); (ii) ensure employees are adequately able to handle phishing attacks; (iii) “fully implement multi-factor authentication”; (iv) “review and update disaster recovery plans”; (v) and quickly respond to further alerts from the government or other reliable sources, even outside regular business hours. The letter notes that NYDFS’ cyber regulation 23 NYCRR 500.17 (previously covered by InfoBytes here), requires regulated entities to notify NYDFS “‘as promptly as possible but in no event later than 72 hours’ after a material cybersecurity event.”
NYDFS proposes student loan servicers regulation
On July 31, NYDFS published a notice of proposed rulemaking in the New York State Register. The proposed rule would implement legislation related to the supervision, regulation, and licensing of private student loan servicers passed in March as part of the state’s FY 2020 budget. As previously covered by InfoBytes, unless exempt from certain provisions, student loan servicers must comply with the requirements set forth in the amendments to the banking law and be licensed by NYDFS in order to service student loans owned by residents of New York. Entities exempt from the licensing requirements include servicers of federal student loans, banking organizations, foreign banking organizations, national banks, federal savings associations, federal credit unions, or any bank or credit union organized under the laws of any other state.
Among other things, the proposed regulation outlines servicing standards, examination guidelines, cybersecurity compliance requirements, and definitions for the terms “unfair” and “abusive.” A list of prohibited practices is also provided, which includes: (i) employing schemes to defraud or mislead borrowers; (ii) engaging in unfair, deceptive, abusive, or predatory acts or practices; (iii) “misapplying payments to the outstanding balance of any student loan or to any related interest or fees”; (iv) making false statements or omissions connected to information provided to a government agency; (v) failing to promptly respond to communications received from NYDFS; and (vi) failing to provide responses to consumer complaints.
Generally, the requirements will take effect October 9, with the exception of a phased-in transition period for certain cybersecurity provisions related to 23 NYCRR Part 500 that gives student loan servicers until April 9, 2020 to comply. Comments on the proposed regulation are due September 30.
NYDFS creates Cybersecurity Division
On May 22, NYDFS announced its newly created Cybersecurity Division, led by Justin Herring as Executive Deputy Superintendent, that is, according to NYDFS, “the first of its kind to be established at a banking or insurance regulator.” The new division will focus on enforcing and issuing guidance on NYDFS’ cybersecurity regulation 23 NYCRR Part 500, advising on cybersecurity examinations, conducting cyber-related investigations, and disseminating information related to cyber-attack trends and threats. NYDFS highlighted Herring’s experience in supervising cybercrime and digital currency cases as Chief of the U.S. Attorney’s Office for the District of New Jersey Cyber Crimes Unit and a member of the Economic Crimes Unit, including investigating money laundering using digital currency and prosecuting unlicensed digital currency exchanges.
NYDFS creates Consumer Protection and Financial Enforcement Division
On April 29, NYDFS announced its newly created Consumer Protection and Financial Enforcement Division, led by Katherine Lemire as Executive Deputy Superintendent. The new office combines the Enforcement and Financial Frauds division with the Consumer Protection division and is responsible for ensuring compliance, fighting consumer fraud, and assisting NYDFS with the enforcement of the state’s Banking, Insurance and Financial Services laws. The office will have a particular investigative focus on the response to cybersecurity events and the creation of supervisory, regulatory and enforcement policy in the area of financial crimes. Prior to her new role, Lemire served as Assistant United States Attorney in the Southern District of New York where she investigated complex federal crimes, and as a prosecutor in the Manhattan District Attorney’s Office.
NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.