The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (the “Charges”) earlier today against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (the “Regulation”), including:
- Failure to perform an adequate risk assessment
- Failure to maintain proper access controls
- Failure to provide adequate security training for cybersecurity employees
- Failure to encrypt certain nonpublic information
The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and that a sample of 1,000 documents found that 30% contained nonpublic information.
This is the first cybersecurity enforcement action the DFS has brought under its regulations, and one of only two instances we are aware of in which the DFS issued a Statement of Charges against a financial institution, rather than a Consent Order or Settlement Agreement.
The Charges offer some key insights into how the DFS will interpret and enforce the Regulation going forward, and where companies face the most significant regulatory cyber risk.
The DFS Cybersecurity Regulation
The Regulation (23 N.Y.C.R.R. Part 500) is still the most comprehensive cybersecurity regulation in the United States. The DFS opted to implement the Regulation in four phases, the first of which went into effect on August 28, 2017. Regulated entities were required to certify compliance with all of the rules for the first time on June 1, 2020.
The Allegations Against First American
First American Title Insurance Company is the largest subsidiary of First American Financial Corporation, and is a licensee of the DFS superintendent authorized to write title insurance in New York. In 2019, a real estate developer discovered that hundreds of millions of documents, some of which contained sensitive personal information, could be accessed through First American’s website.
First American’s main document repository is known as “FAST.” First American also created and maintained an application known as EaglePro, which is a web-based document delivery system that allows First American employees to share documents with the parties to a transaction. According to the Charges, the documents stored in FAST were identified by a number, which was included in the URL shared by EaglePro for that document. By modifying one of the digits in the URL, a user could potentially access other people’s records. Krebs on Security reported in May 2019 that over 800 million files could be viewed via this method.
The compromised documents were related to mortgages, and some contained bank account numbers, tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images. The DFS alleges that the vulnerability existed for over four years, from at least October 2014 through May 2019. Further, the Charges allege that First American discovered the vulnerability through a penetration test in December 2018, but ignored a recommendation from the internal cyber defense team to investigate further and determine whether sensitive documents were exposed. That team had reviewed 10 documents exposed by the vulnerability and none of those contained nonpublic information, which led the team to conclude erroneously there was no nonpublic information exposed by the vulnerability.
Six Quick Takeaways
We are continuing to analyze the Charges and will provide a more detailed assessment in the coming days, but for now, here are a few takeaways:
- Follow Your Cyber Policies: The DFS stresses in both the Charges and the Press Release that First American failed to follow its own cyber policies by neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability.
- Be Conservative in Categorizing Risks: The DFS also stresses that First American had misclassified the vulnerability as “medium” and “low” severity, despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cybersecurity policies.
- Conduct Robust Reviews of Vulnerabilities, With Reasonable Sampling: The DFS repeatedly notes that after the data exposure was discovered, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed, and thereby underestimating the seriousness of the vulnerability.
- Carefully Consider Recommendations by Internal Cybersecurity Personnel: The DFS focuses on the fact that First American failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
- The Importance of Qualifications and Training: The Charges include a violation of the requirement that regulated entities provide cybersecurity training for personnel that is updated to reflect risks identified in risk assessment. The DFS alleges that First American’s employees who uploaded sensitive documents into the FAST system did not receive adequate data security training, resulting in both a failure to properly identify sensitive documents and to treat such documents appropriately.
- Fix Significant Vulnerabilities Quickly: Perhaps the most important takeaway is the DFS’s view that entities should promptly remediate significant vulnerabilities found during risk assessments and penetration tests.
The first DFS enforcement action under its Part 500 rules shows that it regards cybersecurity compliance as more than a check-the-box or paper exercise. Instead, the DFS is signaling that it will carefully review the reasonableness of, and decision-making process supporting, companies’ cybersecurity actions. The Charges seem to acknowledge that a regulated entity can reach a different conclusion than the DFS and still be in compliance, but the company must document its thought process carefully and be prepared to defend the rationale and governance process supporting that decision.
It appears that the DFS is now entering a new phase of its cybersecurity regulation, making enforcement a priority. Companies should carefully review the Charges to see where they may be able to reduce their risks.