Ignoring NY DFS Cyber-Breach Requirements = $1.5 Million Lesson

A mortgage banking company recently paid a $1.5 million penalty to the NY Department of Financial Services (DFS) for non-compliance with the requirements of NY DFS’s Cybersecurity Regulation (23 NYCRR 500) that came into effect in 2017. The consent order has some excellent learning points for entities regulated by DFS, which also may apply in other contexts because many aspects of the DFS framework are similar in key aspects to those of other data security and breach rules. This particular consent order deals with a successful breach by a threat actor who used a phishing attack to access the account of one employee who had access to personal information about customers, including social security numbers. The mortgage banker had instituted a number of cybersecurity measures required under the DFS Cybersecurity Regulation, but as we have noted in other contexts, compliance with technical requirements is only part of a solution and not following through on other fronts, and continuing to do so as the threats and vulnerabilities evolve, will reduce the mitigation impact. Here are some notable lessons from the incident:
 

• Multi-factor authentication is an excellent defense, unless your employees work to defeat it: It is nearly a consensus view that well-implemented multi-factor authentication security is a powerful defense against most account compromise attacks, and it is one of several measures that DFS specifically calls out under the Cybersecurity Regulation. However, like most security measures, a determined user can undermine the technology. In this case, the employee who was targeted not only provided his login credentials several times to the threat actor, but then also approved the login through the multi-factor requirement several (four more!) times in the office and later on the same day. Needless to say, the threat actors successfully gained access.

• Take reporting obligations seriously: The victim company in this matter was breached in March 2019. It conducted what DFS described as a superficial investigation and did not report to the DFS as it was required to do within 72 hours. As a DFS covered entity, the victim company was subject to audits, which took place a year later. Months after the audit began, the breach was discovered by DFS, as was the fact that the company had not conducted a real incident response and review. The company then undertook to conduct a very delayed incident response (while this is not mentioned in the consent order, it almost certainly was much more costly and disruptive than one done at the time of the breach). On top of that, the company had to pay DFS a $1.5M penalty and notify all affected individuals (who no doubt were more unhappy about a year delay in being able to protect themselves). An expensive lesson.

• The human factor is key: The consent order and the breach are a very clear example of why cybersecurity must be focused on “the Human Factor” at the core of assessing risks and mitigation. Threat actors know well that the easiest path into a network is via the human beings who operate, use, maintain, or visit that network. That means to protect your company, you must put the human beings—your users, employees, and third parties—at the center of your program and rely on advice that is not overly focused on technology or process. 

• Know your risks (and how to assess them): The consent order underscores that the victim company failed in meeting its obligations to conduct and respond to a solid risk assessment, a key requirement under the Cybersecurity Regulation. One cannot build a good cybersecurity program without having intelligence and knowledge about the threats you face and the vulnerabilities to your assets. Yet too many companies blow through this requirement by doing pro forma risk assessments or none at all. A risk assessment is also key to being able to implement a good incident response plan (which in the DFS consent order is also clear was missing, as the victim company failed to take key steps such as bringing in outside counsel to provide advice).

• Take DFS seriously: DFS took some time to get out of the gate in enforcement in this matter (reportedly on the second one since the Cybersecurity Regulation came into effect) but all indications point to a much more determined enforcement approach. If you are a DFS covered entity, you have been required to certify full compliance with the Cybersecurity Regulation for some time. We recommend you take consent orders such as this one as a good reminder to kick the tires on your program and check you are doing the things that others may be paying DFS a lot of money to learn painfully.

Ice Miller has extensive experience with cybersecurity requirements. Our team includes Guillermo Christensen, managing partner of the Firm’s Washington DC office and a former CIA officer with almost 20 years extensive national security experience in the intelligence community and incident response involving nation-state attacks on companies in the U.S. and internationally.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.