9 Risk Management Failures That Led to Charges Under NY’s Cyber Law
Remember back in 2017 when we warned you that the New York State Department of Financial Services’ (NYDFS) cybersecurity regulations would reach far beyond New York state?
It finally happened. Last month NYDFS filed its first cybersecurity enforcement action since the law took full effect in March 2019. It charged a large title company based in Nebraska with exposing more than 850 million documents containing private customer data over at least four years between 2014 and May 2019. That includes bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images.
In one 11-month period, more than 350,000 of these documents were accessed by automated “scraper” programs designed to collect information on the Internet, NYDFS says.
The potential financial consequences are huge. Even though the company is based in Nebraska, the company must answer to NY state law since it operates there, writing more than 50,000 policies in 2019, says NYDFS. Under NY state law, each exposed document could result in a fine of as much as $1,000.
How does a cyber mistake of this size happen? The answer touches upon nearly every area of risk management including risk assessments, findings, and internal controls as well as ineffective manual processes.
Let’s take a closer look at what NYDFS says went wrong.
- Poor risk management. Not only did the title company fail to perform a risk assessment of its computer program, but it also misclassified the level of risk the security flaw presented. The vulnerability was labeled as “medium severity” even though it had the potential to expose sensitive customer data.
How do you know you are correctly assessing risk? Download our whitepaper Creating Reliable Risk Assessments.
- Poor compliance. NYDFS says the title company didn’t follow its policies, which required a security review and risk assessment of the computer program. The flaw, which was introduced in a software update in May 2014, went undetected for years.
A good compliance management system (CMS) would have recognized this failure much earlier.
- Failure to keep up with findings. The title company was made aware of the issue in December 2018 after an internal penetration test but did nothing to correct the problem for six months until published media reports exposed the vulnerability publicly. Part of the problem was that its severity label was accidentally changed from “medium” to “low,” so it wasn’t a high priority at the company. They had 90 days to fix it. Even that deadline was ignored.
Clearly, the title company needs to improve its findings management process.
- No accountability for remediation. Testimony suggested an “alarming lack of accountability” for remediating vulnerabilities. A new, inexperienced staffer was assigned responsibility but was never given the penetration test results, the company’s remediation policy or standards, and little support.
The title company desperately needs task management and accountability and should consider automating the process.
- Didn’t listen to internal cyber experts. The company’s cybersecurity team recommended the problem be addressed “as soon as possible,” but the suggestion was ignored even when it pointed out that 5,000 of the exposed documents came up on Google search.
- Minimal investigative scope. The cybersecurity team looked at just 10 of the 850 million exposed records to determine if sensitive data was exposed. None of this ridiculously small sample included sensitive data. While the cyber team encouraged further investigation, that suggestion was ignored.
- Manual processes failed. The company manually labeled documents with non-public personal information (NPI), but it didn’t work. An audit of 1,000 documents found that 30 percent contained NPI and weren’t labeled as such.
It’s yet another example of manual processes failing to protect a financial institution. It’s the reason why so many FIs have been moving to automation when it comes to areas like risk management, vendor management, compliance, audit, cybersecurity assessments, and findings.
- No data encryption. Documents containing NPI should be encrypted under NY’s cybersecurity law. They were not.
- Poor controls. The only control preventing people from using the system to distribute NPI is telling them not to do it.
This was more than a simple oversight. This was a systemic failure of risk management. If even one of these key areas was operating properly, it could have identified and corrected the problem years ago. Instead, the title company is facing the potential of some mega-fines.
It’s also worth wondering, with so many risk management, compliance, and cybersecurity oversights, was the company even aware of its responsibilities under New York state law? It reported the lapse to the state after media reports came out, but by then months and months had passed.
Make sure your FI is complying with the appropriate state, local, and federal laws and regulations when it comes to cybersecurity and other areas. If you have customers or members in a state, you need to be following that state’s laws.
If you’re confused about which rules apply and how to develop policies and procedures around a patchwork of state and local laws, check out our on-demand webinar:
The Devil’s in the Details: How the State Notice of Breach Provisions Impact Third-Party Risk and Operations.