The New York Department of Financial Services (NYDFS) has launched its first enforcement action under New York’s Cybersecurity law for financial services, so-called Part 500. Part 500 requires NYDFS licensed institutions to adhere to certain privacy and cybersecurity standards.
Part 500 took full effect in March 2019. It required NYDFS licensed firms to undertake risk assessments for the Non Public Information (NPI) that they processed. Their cybersecurity practices had to correspond to the NPI’s nature, volume, and sensitivity.
Here, NYDFS alleged that the insurer had violated Part 500 obligations. Specifically, NYDFS contended that the company did not fix a known vulnerability in its document-handling program. Cyber defense staff discovered the problem in December 2018. But the company took another six months to address the issue. This failure allegedly compromised millions of documents.
NYDFS determined that the insurer had stored documents used to obtain title insurance in a proprietary document management system. The documents were sequentially numbered. This system, together with the absence of any verification procedures, enabled unauthorized viewers to access the documents. Some documents even appeared in Google search results.
Describing the response as “a cascade of errors”, NYDFS cited the insurer for allegedly:
- Not performing a risk assessment of the document management system;
- Delaying resolution of the issue;
- Failing to adhere to its own cybersecurity and privacy policies and procedures;
- Failing to assign a qualified employee to address the issue;
- Not conducting further risk assessments.
The NYDFS action is a strong shot across the bow to NYDFS-licensed entities. At a minimum, entities should have:
- An assessment of NPI in their inventory;
- Rigorous risk assessment;
- Qualified cybersecurity staff, including a CISO;
- Adequate and documented procedures;
- Breach response plans;
- Consistent enforcement across the board.
Falling short of these standards potentially entails $10,000 per NYDFS-defined violation. A stiff price tag by any measure.