Tag Archives: NYDFS

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

MBA Panel Discusses Third Party Risk Issues

According to HousingWire, a panel at the Mortgage Bankers Association mortgage servicing conference discussed cyber risks and one seems to have the attention of regulators is risk introduced by vendors.  All you have to do is think back to Target, Home Depot and the Office of Personnel Management (collectively around 200 million compromised records).  The entry point of attackers in all three cases was vendors.

The panel pointed to guidelines from The New York Department of Financial Services (NYDFS), which are voluntary now, but may not be voluntary for long.  NYDFS is working with many state and federal regulators to make their view of the universe the nation’s standard.

While NYDFS only regulates entities like banks, insurance companies and broker-dealers (among others), there is a food chain to consider.  If you sell to or provide services for one of these covered entities, then that entity is going to require that you measure up to their regulator’s rules.  Otherwise, the regulator will come after them.

The NYDFS wants their rules to be included in contracts that regulated entities use.  That way there is no question.  You don’t want to agree to these terms, then don’t do business with them.

Some of the rules include:

  • Requirement to use two factor (or multi factor) authentication.
  • Use of encryption at rest and in motion.
  • Notification in case of a breach (yes, believe it or not, some banks recently were found to not require vendors tell them if the vendor was breached).
  • Indemnification in case the entity that is contracting for services experiences a loss due to the vendor being breached.
  • A requirement that the entity be able to audit the third party vendor (you may recall some issues around Blue Cross and their refusal to let the feds audit them.  With this clause in the contract, no audit, no payments).
  • Finally, reps and warrants regarding the third party’s information security.

This is only a partial list of the requirements, but as you can see, the implications are serious.  If Target’s refrigeration vendor had to indemnify them, the vendor would be out of business.

AND, the NYDFS is working with other regulators to get them to adopt these same rules.

So, while this only affects New York regulated entities and any company that does business with them, expect this to grow.  Look for a future blog post on what California is doing in this area.

One option is to wait until the rules are mandatory and then scramble to react to them.  Alternatively, you could be proactive and create a vendor risk management program under your timeline.  The second way may be less stressful.  It will allow you to grow the program over time as you work out the kinks.


Information for this post came from HousingWire.

NY Regulator Unveils Proposed New Cyber Security Regulations

When Ben Lawsky was running the New York Department Of Financial Services, he proposed new cyber security examination rules.  Now that he is gone on to start his own legal consulting firm, the legacy that he started continues.

This week the post-Lawsky NYDFS has released a set of proposed cyber security regulations.  And, just to up the ante, they shared their proposed regulations with every other significant regulator: the Federal Reserve, the OCC, the SEC and every other state regulator.  Their goal is to get everyone to adopt the same basic rules.

So what is in this gem?  If you are a state or federally chartered bank, an insurance company or a broker-dealer, you might want to check this out.  Here they are:

  • 12 very specific policies and procedures including data governance, access controls, systems and application development and QA, vendor and third party risk management and incident response.  That is just one of the items.
  • Third party service provider management
  • Multi-factor authentication
  • Hiring a CISO, who must submit an annual report to the regulator, signed off on by the Board
  • Application security procedures, guidelines and standards
  • Cyber security staff and intelligence
  • Cyber security audit
  • Notification of the department in the event of any cyber security incident.

While this is only a proposal and may change, it likely will not “go away”.

If you are a regulated entity, now might be a good time to start planning and getting ready for whatever comes.




Information for this post came from the WSJ and Reuters.