Introduction
Key Takeaways
New York First in Nation to Implement Statewide Cybersecurity Regulation for Financial Services Industry
One point five million dollars. That’s how much it’s going to cost an independent mortgage lender after New York’s Department of Financial Services determined the company violated a lesser-known cybersecurity mandate known as the state’s Cybersecurity Regulation.
What is the Financial Services Cybersecurity Regulation?
New York is the first state in the nation to successfully pass and implement a statewide Cybersecurity Regulation designed to protect consumers and the financial services industry from data breaches and cyber-attacks. The rule, 23 CRR-NY 500.0 NY-CRR, went into effect on Aug. 29, 2017, and the state’s Department of Financial Services (DFS) oversees it.
Similar to the effect of GDPR on organizations that handle sensitive and protected data for European Union (EU) residents, regardless of organization location, New York’s Cybersecurity Regulation applies to DFS-regulated organizations authorized to do business in the state through its banking law, financial services law, or insurance law—regardless of the organization’s headquarters’ location. The regulations extend beyond just banks and also include licensed lenders, mortgage companies, services providers, and insurance companies.
There are several compliance exemptions to the rule, including:
- Companies with 10 or fewer employees
- Those who earn less than $5 million in annual revenue from New York
- Those that don’t use, operate, maintain, or control information systems
- Companies with less than $10 million in year-end assets
For those that don’t meet one of the exceptions, they are expected to meet a number of standards and implement cybersecurity best practices to ensure industry compliance, while protecting consumer data. The regulation also outlines timely reporting for cybersecurity events (both successful attacks and unsuccessful attempts) by bad actors who attempt to get unauthorized access to sensitive data. The regulation dictates these cybersecurity event disclosures must be reported within 72 hours of event discovery.
Here are some of the core areas outlined in the regulation:
- Cybersecurity program and policy
- Appointment of a CISO
- Penetration and vulnerably testing
- Audit expectations
- Access privileges
- Application security best practices
- Risk assessments
- Third-party relationships
- MFA requirements
- Data retention
- Employee training and monitoring
- Encryption
- Incident response
- Event notification requirements
What Happened?
In March 2019, a mortgage lender, Residential Mortgage Services Inc. (RMS) experienced a cyber breach. The company is based in Maine but is licensed to do business in New York and is subject to the New York State Banking Law.
In 2019, RMS closed nearly 14,000 residential mortgage loans. The following year, in April 2020, the company filed a certificate of compliance indicating it had been compliant with relevant parts of the Cybersecurity Regulation in 2019.
At the end of March 2020, DFS initiated an examination of RMS and discovered compliance and reporting issues related to the Banking Law. The examination covered a time period from Jan. 1, 2017, through Dec. 31, 2019. The state’s “safety and soundness review” was intended to evaluate the company’s compliance with the Cybersecurity Regulation.
During this review, DFS wanted to verify that RMS had not filed any cybersecurity event notices, but during that time, they discovered an unreported event had occurred 18 months prior.
According to the consent order DFS filed in response to the review, the company admitted it had not fully investigated a potential data breach from March 2019 where an attacker successfully launched a phishing attack and gained access to an RMS employee email account.
Phishing attacks make up more than 80% of all reported security incidents and 94% of all malware delivery happens through email.
The compromised email account contained personally identifiable information (PII) for multiple mortgage loan applicants, including their names, bank account details, and Social Security numbers. As part of the phishing scheme, the attacker sent an email that appeared to be from a legitimate business partner. It was not.
The employee clicked a link inside the email which took her to a malicious website. On the site, the employee followed prompts and provided the username and password for her RMS email account.
RMS had safeguards in place, including, but not limited to, requiring multi-factor authentication (MFA) for email access. When the employee received an MFA prompt on her phone to approve login to her email account, she did so, at least four times in one day. That included times when the employee was not working and when she was not attempting to access her own email account.
According to the consent order, the following day the employee received a fifth MFA prompt, at which time she alerted RMS IT staff.
The consent order reveals the IT team’s investigation determined an intruder had successfully accessed the employee’s email account at least four times. The team then blocked further access from the offending IP address. After determining access was limited to the single account, RMS completed no further actions related to the breach.
DFS determined that RMS did not take appropriate actions to meet breach notification requirements, specifically related to:
- Failure to identify if the email account had private consumer data at the time of the breach
- Failure to identify consumer impact
- Failure to apply notice requirements
Further, as DFS probed the event and conducted its examination, it determined RMS had not completed a comprehensive cybersecurity risk assessment, which the Cybersecurity Regulation requires.
All entities regulated by DFS must complete this assessment, understand its risks, and build a cybersecurity program that addresses those risks. Not doing so, DFS stated, undermined the company’s 2020 compliance certification filing for 2019.
As a result of the investigation, RMS had to go back through all of the employee’s emails from time of hire through the day it stopped the intrusion to review all emails for PII and then to use those findings to notify all affected individuals.
In addition to the cybersecurity controls RMS already had in place, following the breach the company also initiated additional controls including:
- Automatic warning labels for external emails
- Automatic warning and filtering of phishing emails prior to end-user reach
- IP filtering and analysis
- Penetration and other testing by third-parties
As a result of the examination findings, DFS imposed a penalty of $1.5 million that was due, in full, 10 days after the consent order was filed. The company was also directed to strengthen its cybersecurity controls including completing a cybersecurity incident response plan within 90 days of the order’s filing, as well as a comprehensive cybersecurity risk assessment, and additional training and monitoring for its employees.
Frameworks for Compliance
The Cybersecurity Regulation has multiple components, many of which align to existing frameworks such as the NIST Cybersecurity Management Framework. This is good news for DFS-regulated businesses that already have existing security and risk management frameworks in place.
The challenge for many organizations, however, is the ability to look at which controls you already have in place and clearly see how they meet DFS requirements. If you’re doing this using manual tools such as spreadsheets, you may struggle to determine if you are really in compliance or not.
But compliance visibility doesn’t have to be as cloudy as it used to be. With a cybersecurity framework management platform like Apptega, you can implement, track, and manage all of your controls—across all of your frameworks—through a simple, easy-to-understand dashboard that gives you instant insight into how well you’re meeting control and compliance requirements and where you may have gaps.
And, if you’re just getting started developing your cybersecurity program, the platform can help you build on existing controls, crosswalk them across frameworks, and mature your cybersecurity posture over time while giving you the confidence you’re meeting all of your regulatory and compliance requirements.
Do you need help determining which controls are right for your organization? Do you struggle with visibility into all of your compliance metrics?
Contact an Apptega advisor today, and we’ll be happy to answer your questions and show you how you can use the Apptega platform to quickly and efficiently manage and track all of your controls, no matter how many requirements your organization has to juggle today–and in the future.