Tag Archives: NYDFS

The Regulators Are Making a Point

Last month New York’s Department of Financial Services (DFS) fined Residential Mortgage Services $1.5 million for not having a compliant cybersecurity program and, even worse, not telling the regulator that they had a breach.

DFS said that RMS did not investigate the breach seriously, did not conduct a comprehensive risk assessment and did not notify the victims.

This month DFS went after National Securities Corp.

DFS says that they had four separate cybersecurity “events” between 2018 and 2020.

DFS noted that during a 2019 incident an employee’s email account was compromised and, oh, yeah, NSC had not implemented multifactor authentication, which is required by law.

In another event, a broker of the company discovered an potentially unauthorized transfer of $200,000. As the investigation continued, they discovered more unauthorized transfers. Ultimately, the company wrote a check to the client for $400,000. Even then, they did not have multifactor authentication enabled.

They did finally implement multifactor authentication in August of last year.

Out of curiosity – have you implemented multifactor authentication on all systems?

In the consent order, the regulator pointed out the obvious. You have to have MFA enabled, even for third party applications.

As the regulator dug into things, they discovered two more incidents that were not reported as promptly as possible and specifically, not within the 72 hours as required by law.

Regulated entities that do business in New York are required file an annual report with the regulator, signed by the CEO or CoB or similar person. The company claimed they were in compliance in that report, but according to DFS, because of all of these issues, they were not in compliance.

They fined National Securities $3 million and, as is typical in these cases, they said that they could not be reimbursed by insurance. They want them to feel the pain.

A summary of what happened can be found here.

Reading the consent order, one thing that the regulators seem to have focused in on is the fact that this company, like many companies, uses dozens of third party applications and many of these applications did not have multifactor authentication turned on.

In some cases, third party apps do not support multifactor authentication. In that case, you have to follow a process to assess the risk and implement alternate security measures. This process needs to be reassessed every single year. Companies have to follow this process for each application for which they cannot implement multifactor authentication.

The consent requires the company to file a comprehensive incident response plan with the department within 120 days.

They also, according to the consent order, need to submit a comprehensive cybersecurity risk assessment.

For both of these items, the consent order lists specific items these documents need to include.

They also have to provide a copy of compliant policies and procedures and documentation of all cybersecurity awareness training in the same time frame.

I am not sure if this will be a monthly event with the regulators or not, but I do think they are getting tired of businesses ignoring the laws.

While this only affects companies that do business in New York (wherever they may be located), we are also seeing noise from other states, such as California, which has just created a whole new regulatory agency. Funded, I might point out, by the fines that they issue.

Add to that the fact that Virginia’s governor just signed a bill into law that is even more comprehensive than California’s and that there are a number of other states (Florida, Texas, Washington, for example) that are likely to enact similar laws this year.

Consider what the New York regulator is doing as a “shot across the bow”. Do not expect this to go away. Also understand that the condition of not getting reimbursed by insurance is a pretty standard requirement.

To quote Dirty Harry: “Do you feel lucky”?

If not, now is the time to get busy.

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

MBA Panel Discusses Third Party Risk Issues

According to HousingWire, a panel at the Mortgage Bankers Association mortgage servicing conference discussed cyber risks and one seems to have the attention of regulators is risk introduced by vendors.  All you have to do is think back to Target, Home Depot and the Office of Personnel Management (collectively around 200 million compromised records).  The entry point of attackers in all three cases was vendors.

The panel pointed to guidelines from The New York Department of Financial Services (NYDFS), which are voluntary now, but may not be voluntary for long.  NYDFS is working with many state and federal regulators to make their view of the universe the nation’s standard.

While NYDFS only regulates entities like banks, insurance companies and broker-dealers (among others), there is a food chain to consider.  If you sell to or provide services for one of these covered entities, then that entity is going to require that you measure up to their regulator’s rules.  Otherwise, the regulator will come after them.

The NYDFS wants their rules to be included in contracts that regulated entities use.  That way there is no question.  You don’t want to agree to these terms, then don’t do business with them.

Some of the rules include:

  • Requirement to use two factor (or multi factor) authentication.
  • Use of encryption at rest and in motion.
  • Notification in case of a breach (yes, believe it or not, some banks recently were found to not require vendors tell them if the vendor was breached).
  • Indemnification in case the entity that is contracting for services experiences a loss due to the vendor being breached.
  • A requirement that the entity be able to audit the third party vendor (you may recall some issues around Blue Cross and their refusal to let the feds audit them.  With this clause in the contract, no audit, no payments).
  • Finally, reps and warrants regarding the third party’s information security.

This is only a partial list of the requirements, but as you can see, the implications are serious.  If Target’s refrigeration vendor had to indemnify them, the vendor would be out of business.

AND, the NYDFS is working with other regulators to get them to adopt these same rules.

So, while this only affects New York regulated entities and any company that does business with them, expect this to grow.  Look for a future blog post on what California is doing in this area.

One option is to wait until the rules are mandatory and then scramble to react to them.  Alternatively, you could be proactive and create a vendor risk management program under your timeline.  The second way may be less stressful.  It will allow you to grow the program over time as you work out the kinks.


Information for this post came from HousingWire.

NY Regulator Unveils Proposed New Cyber Security Regulations

When Ben Lawsky was running the New York Department Of Financial Services, he proposed new cyber security examination rules.  Now that he is gone on to start his own legal consulting firm, the legacy that he started continues.

This week the post-Lawsky NYDFS has released a set of proposed cyber security regulations.  And, just to up the ante, they shared their proposed regulations with every other significant regulator: the Federal Reserve, the OCC, the SEC and every other state regulator.  Their goal is to get everyone to adopt the same basic rules.

So what is in this gem?  If you are a state or federally chartered bank, an insurance company or a broker-dealer, you might want to check this out.  Here they are:

  • 12 very specific policies and procedures including data governance, access controls, systems and application development and QA, vendor and third party risk management and incident response.  That is just one of the items.
  • Third party service provider management
  • Multi-factor authentication
  • Hiring a CISO, who must submit an annual report to the regulator, signed off on by the Board
  • Application security procedures, guidelines and standards
  • Cyber security staff and intelligence
  • Cyber security audit
  • Notification of the department in the event of any cyber security incident.

While this is only a proposal and may change, it likely will not “go away”.

If you are a regulated entity, now might be a good time to start planning and getting ready for whatever comes.




Information for this post came from the WSJ and Reuters.