How NYDFS Is Enforcing New York’s Cybersecurity Regulation

The arc of development of cybersecurity and data privacy as core business issues is at its three-quarters turn, having gone from a pure IT issue only five years ago to local laws that regulatory agencies are enforcing. The final turn will be passage of a uniform federal law.

Credit: NicoElNino/Adobe Stock

No longer just idle talk among a handful of states that have already passed data privacy laws—or whispers in Congress about a uniform federal regulation—cybersecurity and data privacy ideas are rising to meet the moment.

Cybersecurity breaches are getting a lot of attention nationally, not only for their design and simplicity of execution, but also for the astonishing ease with which they disrupt everyday systems. It can be overwhelming to think that protecting our proprietary information and wrestling back our private data will be one of the greater generational challenges going into the latter parts of this century.

Sure, it is easy to dismiss such cyber events as financially motivated. Ransomware is, after all, about the money. But many breaches are also about gathering intelligence to unlock confidential trade secrets, opening a strategic business advantage, or simply draining resources to expose vulnerabilities.

For businesses, preparation is key and proactive thinking is a must. Some organizations will rush to artificial intelligence to carry out the principle that “offense is the best defense.” But in the meantime, the laws are evolving quickly in this area, with states stepping up to dictate the chorus of cyber readiness and compliance mandates, leaving aside that the European Union sprinted miles ahead years ago when it came to issues of cybersecurity and data privacy with the General Data Protection Regulation (GDPR).

An assortment of new state laws and regulations are already on the books, and more are coming soon. That means cyber compliance must weave straight into the fabric of the corporate infrastructure and onto the agendas of decision-makers. Through this process, a two-part question emerges: From a business standpoint, what about enforcement? To what degree should it be keeping corporate CEOs up at night? The short answer is that enforcement actions are rolling, particularly in states like New York. They could be coming to a train station near you, unless your organization has put in place the right security and privacy compliance programs, both domestically and internationally, before attackers attempt to breach the corporate gates.

‘In the Matter of Residential Mortgage Services’

Back in March of this year, the New York State Department of Financial Services (NYDFS) announced a settlement with Residential Mortgage Services (RMS) in which the licensed mortgage banker agreed to pay a $1.5 million penalty. This came after a July 2020 examination uncovered evidence that RMS had been the subject of a cyber breach in 2019, and that it had not reported the breach to DFS, in violation of New York’s Cybersecurity Regulation Part 500.17. Pursuant to the consent order, DFS had commenced an examination of RMS during a two-year review period.

During this review, DFS discovered that 18 months earlier an employee, who collected a substantial amount of sensitive personal data from mortgage loan applicants, had responded to a phishing email, providing additional authentication and ultimately causing unauthorized access. Upon determining that access had been limited to the employee’s email account, the company’s IT function failed to direct further inquiry. DFS characterized this failure as “especially egregious” in light of the employee’s handling of private data including consumers’ Social Security and bank account numbers.

RMS was required, under 23 NYCRR 500.17(a)(1), to notify DFS within 72 hours of having determined that a cybersecurity event occurred. Instead, after approximately 18 months post-breach, and at the urging of DFS, RMS initiated an investigation and finally considered the requirements of the relevant breach notification laws. Notably, DFS also discovered that RMS was missing a comprehensive cybersecurity risk assessment, in violation of 23 NYCRR 500.09(a).

Dissecting its findings regarding the value of a comprehensive cybersecurity risk assessment is particularly instructive, since DFS called such an assessment “the foundation of the risk-based cybersecurity program required by the Cybersecurity Regulation.”

These assessments can be incredibly helpful, not to mention predictive, in forecasting an organization’s vulnerability to a cyber breach or attack. But a generic, preprogrammed, out-of-the-box solution is one of the most common mistakes IT teams make. Presenting an organization with that kind of boilerplate solution is nothing more than a tactical Band-Aid that overlooks the basic principle that cybersecurity and data privacy are not one-size-fits-all.

Anyone who has earned their battle scars in business knows that using simple tactics over strategic thinking is the surest way to achieve underperformance, and maybe to even get outright run over.

Corporate executives should be strategic in their thinking and committed to finding practical solutions in a regulatory area of the law that, frankly, demands commitment to innovative thinking. Each company’s infrastructure is tailored to its operational blueprint. Just as its stress points are unique to its foundation, so too must its security and privacy programs work synergistically to simultaneously achieve compliance and avoid impeding corporate growth.

It is no surprise, then, that DFS addressed some of these same principles directly in the consent order with RMS. In fact, the agency plainly stated that these cybersecurity risk assessments are fundamental to a cybersecurity program required under 23 NYCRR 500.09(a). Each regulated entity must have a clear idea of the specific risks it faces and must “design” a program to meet those risks.

By performing these risk assessments, a company will be in a better position “to shape” such a program and mitigate possible threats. DFS stressed that a cybersecurity risk assessment serves “to evaluate cybersecurity risks,” as well as protect the company’s information systems and numerous classifications of data.

It also stressed that an “assessment should result in thoughtful cybersecurity programs specifically tailored to safeguard the confidentiality of company and consumer data.” Executives and risk managers should not overlook this DFS acknowledgement that cybersecurity assessments should be “designed” and “shaped” to the company footprint in order to ultimately “tailor” a “thoughtful” program that protects the integrity of confidential data strongholds within the company itself. In short, this wording provides a statutory roadmap, of sorts, to not only understand how to protect one of a company’s principal assets—its proprietary data—from a business perspective, but also how to achieve legal compliance without unduly placing both goals at odds.

‘In the Matter of National Securities Corporation’

Again in April, NYDFS announced it had reached another settlement related to its Cybersecurity Regulation. This time with National Securities Corporation (NSC), whereupon the licensed insurance company would pay a penalty of $3 million to New York state. These violations, according to DFS, had “caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers.” DFS stated in a press release that the agency had discovered, in the course of an investigation, that NSC had been the target of four cyber breaches during a two-year period, and that two of those breaches had not been reported, in violation of 23 NYCRR 500.17(a).

These cyber events allowed unauthorized access to the email accounts of company employees as well as independent contractors. DFS also uncovered, among other things, that NSC did not fully apply multi-factor authentication (MFA), in violation of 23 NYCRR 500.12(b), nor did it implement something reasonably equivalent or use more secure access controls approved in writing by the company’s chief information security officer (CISO). Furthermore, DFS stated that because NSC had not fully implemented MFA, the company falsely certified annual compliance for 2018, in violation of 23 NYCRR 500.17(b).

As part of the consent order, DFS called MFA “the first line of defense” to guard against unauthorized access, including the use of phishing emails sent to deceive users into turning over personal details or other confidential information that attackers then use to gain unauthorized entry into a protected information system.

Regarding remediation—and similar to the matter involving RMS—DFS stated in the order that NSC “shall continue to strengthen its controls to protect its cybersecurity systems and the private data of consumers,” in accordance with 23 NYCRR 500, specifically by submitting:

An important takeaway from the enforcement action is this: Companies can proactively take any of the remedial measures cited by DFS in either consent order. Doing so would potentially avoid, or at least mitigate, such an enforcement action and the costly penalties and monitoring that follow. Putting together a workable Cybersecurity Incident Response Plan and performing a Cybersecurity Risk Assessment to shore up an organization’s stress points before a breach occurs are particularly crucial.

More to the point, the statute makes clear that training and monitoring must be “designed to monitor the activity of authorized users” and “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.” In other words, these training programs, like most essential guides to winning business philosophy and strategy, should be both “designed” and implemented with the unique organizational blueprint in mind.

The bottom line: There really are no shortcuts. An organization cannot cut and paste its security and privacy programs into compliance. It has to go beyond mere academic assumption theorems that rely heavily on unproven abstract hypotheticals. Instead, it must address the fault lines directly at the source—using science as a primer, looking at actual psychology and behavior that can prepare employees to actively avoid granting unauthorized access, and using concrete and quantifiable real-life analytics to head off the problem in the first place.

See also:

Conclusion

The arc of development of cybersecurity and data privacy as core business issues is at its three-quarters turn, having gone from a pure IT issue only five years ago to state laws and now the forecasted extension of those laws—enforcement. The final turn will be the passage of a uniform federal law to ultimately tie this current patchwork together.

Proactively addressing cybersecurity concerns within an organization is the key to implementing a successful defense against outside forces seeking to gain unauthorized access to the organization’s most valuable asset, its confidential proprietary data.

Each company’s profile is unique, so CISOs and risk managers must tailor the organization’s cybersecurity compliance readiness plan to the organization’s distinctive identity and structural footprint. Compliance regulations are complex and continuously evolving. Accounting for the diversified business needs and blueprint of the organization will ensure it is protected at every step moving forward and will increase its potential for avoiding costly enforcement actions, not to mention crippling government oversight.

Rebecca L. Rakoski and Patrick D. Isbill are co-founders and managing partners at XPAN Law Partners. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions. Patrick’s practice focuses on cybersecurity and data privacy compliance and enforcement.

From: New York Law Journal

Recommended Stories