What Businesses Can Learn from NYS DFS’s First Cybersecurity Crackdown
The first crackdown by the New York Cyber-Security Regulatory Regime was an auspicious start for the group and an important reminder to businesses around the state. The New York Department of Financial Services (DFS) created the regime in 2017, and last year, DFS created a Cybersecurity Division, as well. In July 2020, First American Title Insurance Company was named in a compliant by DFS for a security breach, the first enforcement action by the regulatory regime and the cybersecurity division — and it was a notable beginning for both.
First American’s security breach exposed as many as 885 million documents, including non-public personal information (NPI), some of which were discoverable as simply as through a Google search. Here’s a look at what went wrong at the insurance company and what business owners can learn from it.
Make sure your cybersecurity policies meet risk assessment requirements and reflect the actual practices of your company.
Investigation of the breach at First American revealed that the company had not even followed its own policies when it came to cybersecurity. For one, the documents were supposed to have been encrypted by September 2018. When a penetration testing exercise revealed the exposure in December 2018, those documents still had not been encrypted. First American then failed to remediate the identified exposure within 90 days, as its policy requires. Not following its own company policy only placed more fault with First American after the security incident.
Review your cybersecurity policies and make sure your business is keeping up with its own requirements, as well as with the requirements mandated by DFS or your state’s regulatory body.
Remediate any discovered vulnerabilities as quickly as possible.
According to the DFS complaint, First American made no attempt to fix the vulnerability until a news article detailed the exposure in May 2019 — almost six months after the insurance company became aware of the breach. The lag extended the breach and hurt the company more during the DFS investigation.
If you have reason to believe that your company has a cybersecurity issue, it is vital that you remediate the situation quickly. Always, start with a comprehensive review to grasp the full severity of the situation — a step that First American didn’t take, which likely contributed to the poor response.
Consider all of the recommendations from your cybersecurity team carefully and document your decisions.
After the penetration testing exercise in December 2018, First American’s cybersecurity team recommended that the company conduct a more extensive review — which never happened. In fact, the DFS complaint noted that the employee assigned to remediate the situation was unqualified and underinformed about the situation. With that being the case, it’s not surprising that the company didn’t handle to the breach sufficiently.
When your in-house cybersecurity team comes to you with suggestions, documenting the reasoning behind your decisions is almost as important as the decisions themselves. In the event of a breach, you will want to show how and why you made all decisions relating to your online security to prove your decisions were not negligent.
Have comprehensive cybersecurity insurance to protect your company in the event of a breach.
Having cybersecurity insurance is an important first step to prepare your company for security issues. Business owners should know that general commercial insurance does not always include the breadth of coverage needed for all types of cyberattacks and online scams. If your business manages confidential client information, it is crucial that your company has the best available cybersecurity insurance in order to avoid a debilitating situation. It is impossible to completely avoid risk, so it’s vital that businesses are well prepared to deal with complicated cybersecurity incidents.
You can contact us here or by calling 800-242-2433 to speak to us about risk management solutions that can help protect your company from cyberattacks and help you to meet the protection requirements customers need.