Three years after enacting one of the country’s most exacting cybersecurity regulations, the New York State Department of Financial Services recently filed its first cybersecurity enforcement action.
In its July 21, 2020, statement of charges, NYDFS alleged that First American Financial, one of the country’s largest title insurers, failed to properly respond to a security vulnerability on its website. After a penetration test uncovered the vulnerability, First American misclassified the vulnerability’s risk, failed to properly investigate the vulnerability and the resulting exposed documents, and rejected the recommendations of its in-house cybersecurity team.
As a result, NYDFS alleges that the insurer’s website exposed millions of documents containing consumers’ nonpublic personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ licenses. NYDFS seeks civil monetary penalties that could leave First American exposed to millions in liability.
While we await the results of the NYDFS’s hearing scheduled for October 2020, several key lessons can be learned from this enforcement action:
First, expect cybersecurity to remain a regulatory focus. The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for the NYDFS, even during the COVID-19 pandemic. NYDFS-licensed mortgage lenders are required to attest annually to compliance with the state’s cybersecurity requirements, which were enacted in March 2017.
If your mortgage company has attested to compliance but has not fulfilled NYDFS requirements — such as multi-factor authentication, cybersecurity training for employees, encryption, and penetration testing — you should prioritize completion as soon as possible.
Second, centralize controls and empower your Chief Information Security Officer (CISO). NYDFS alleges that First American’s controls and training were decentralized, and the company’s CISO was given limited responsibility for implementing cybersecurity processes throughout the company. Many mortgage lenders outsource the CISO function based on limited internal capabilities and capacity, as permitted by NYDFS regulations.
Nevertheless, it is important to ensure that outsourced CISO recommendations are heeded by a mortgage company’s top management. Controls and training should be implemented consistently company-wide, rather than allowing each business unit to implement its own processes.
Third, involve outside counsel when sensitive cybersecurity issues arise. The NYDFS’s charges reveal First American’s employees’ internal confusion and disagreements about how to address the vulnerability. Outside counsel can coordinate a response and minimize the chance that employees will prematurely speculate, and arrive at conflicting conclusions, about a security vulnerability.
And, outside counsel can establish an attorney-client privileged channel for communications, which will reduce the likelihood that unflattering documents relating to a data incident will become evidence in a legal proceeding. Mortgage lenders should retain, or at a minimum identify, competent cybersecurity counsel before cybersecurity issues arise.
Fourth, use outside cybersecurity experts. Under the direction of outside counsel, outside cybersecurity experts should be engaged to provide an independent, objective assessment of cybersecurity issues. This is preferable to relying on a mortgage lender’s own employees, who may be tainted by conflicts of interest.
Involving outside cybersecurity experts will also lessen the possibility that a mortgage lender’s employees will have internal disputes on how to respond to a cybersecurity issue. From the perspective of employees, these internal disputes can destroy morale. From the perspective of the NYDFS, these internal disputes can be problematic.