NYDFS 500 First Enforcement Action

Landscape photo of New York City and Brooklyn Bridge

In July 2020, the New York State Department of Financial Services (NYDFS) filed the first enforcement action under the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), against First American Title Insurance Company (First American), a large title insurance provider.

What is the NYDFS Cybersecurity Regulation?

NYDFS Cybersecurity Regulation, is a set of regulations that places cybersecurity requirements on financial institutions regulated by NYDFS. It applies to all entities operating under DFS licensure, registration, charter, or that are otherwise DFS-regulated. It is also applicable to unregulated third-party service providers working with regulated entities. Examples of covered entities include banks, mortgage companies, and insurance companies.

This regulation is based on the NIST Cybersecurity Framework (CSF). Built around five functions — Identify, Protect, Detect, Respond, and Recover. However, it is important to note that the NYDFS Cybersecurity Regulation specifies requirements beyond CSF, such as protecting non-public information (NPI) rather than customer data, mandating the appointment of a CISO or third-party equivalent, and requiring a program for secure data destruction.

What Prompted the Creation of the NYDFS Cybersecurity Regulation?

The news around the data exposure leading up to this enforcement action was first broken by renowned cybersecurity journalist, Brian Krebs, back in May 2019. A real estate developer and customer of First American located in Washington State informed Krebs that if you modified a single digit of a valid document URL you could access other documents thereby exposing potentially millions of records and associated NPI. This was consequently confirmed by Krebs before informing First American and ultimately publishing news of the exposure. The NYDFS Statement of Charges included further detail from its own investigation regarding the vulnerability:

“The URL for each website shared via EaglePro included an ImageDocumentID number, and each document in FAST was assigned a sequentially numbered ImageDocumentID. By changing the ImageDocumentID number in the URL by one or more digits, anyone could view the document corresponding to the revised ImageDocumentID. As a result, by simply typing in any ImageDocumentID, any document in FAST could be accessed regardless of whether the viewer had authorized access to those documents. Until May 2019, the URLs shared via EaglePro had no expiration date.”

NYDFS also alleged that a First American penetration test identified the very vulnerability that allowed for this data exposure back in December 2018, but First American had failed to remediate.

NYDFS Statement of Charges Against First American

Ultimately, the NYDFS Statement of Charges alleges six different violations of Part 500:

  1. Failure to maintain a cybersecurity program to protect the confidentiality, integrity and availability of sensitive information in violation of 23 NYCRR 500.02.
  2. Failure to maintain a management approved information security policy and related procedures in violation of 23 NYCRR 500.03.
  3. Failure to implement appropriate user access privileges and restrictions in violation of 23 NYCRR 500.07.
  4. Failure to conduct periodic risk assessments for input to the cybersecurity program in violation of 23 NYCRR 500.09.
  5. Failure to adequately train personnel and update training to reflect new identified risks in violation of NYCRR 500.14(b).
  6. Failure to implement security controls, particularly encryption, to protect sensitive and non-public personal information (“NPI”) in violation of NYCRR 500.15.

A hearing to review the charges has been scheduled for October 26, 2020 and will be held at the New York State Department of Financial Services. This regulation was implemented pursuant to Section 408 of the Financial Services Law. Any violation of Section 408 carries penalties of up to $1,000 per violation. DFS alleges that each instance of NPI encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.

The results of the hearing are anxiously awaited by many to see what the ultimate financial penalties might be and what precedents might be set for future enforcement. Any enforcement action behind a regulation is a sweeping signal of reality to skeptics that believe regulation only a symbolic action.

Meet NYDFS Cybersecurity Regulation

The LogRhythm NextGen SIEM Platform helps meet NYDFS with normalized data, advanced correlation rules, machine learning, and security automation and orchestration response (SOAR) to help you improve your cybersecurity maturity and reduce risk. Through 24×7 monitoring and real-time alerting, the LogRhythm Platform brings attention to events in your environment that may lead to a data breach or compliance violation.

Moreover, the SIEM platform’s rich reporting features can help your organization structure and automate the generation of reports for any piece, block, or trend of information required from the systems feeding it. With the above support, LogRhythm can help your organization meet or exceed the NYDFS Cybersecurity Regulation.

How LogRhythm Helps Organizations Stay NYDFS Compliant

The sections of NYDFS that were invoked in the charges against First American include some of the most common cybersecurity control families in any control framework and LogRhythm fulfills or augments most of those requirements!

Section 500.02 – Cybersecurity Program

LogRhythm offers full Threat Lifecycle Management from forensic data collection to incident recovery. The platform provides a centralized management system capable of alarming, reporting, and investigating security breaches to the network. Combined with alarms and SmartResponse™ capabilities, LogRhythm’s AI Engine helps organizations determine if a threatening event or series of events is present, notifies appropriate parties, and can begin mitigating actions automatically or with manual approval. Examples of these actions include disabling Active Directory accounts, adding addresses to firewall block lists, and quarantining machines. These actions can help an organization respond to and recover from a cybersecurity incident, while also helping organizations reduce their mean time to detect (MTTD) and mean time to respond (MTTR). MTTD and MTTR metrics are a standard feature of the LogRhythm Platform.

Section 500.03 – Cybersecurity Policy

Many of the cybersecurity policy requirements are supported log source types within LogRhythm. Supported log sources can be ingested by the platform, monitored, analyzed, and reported upon to support enforcement of security policies within the organization.

Section 500.07 – Access Privileges

LogRhythm monitors activities by both users and systems to assist in determining necessary or frivolous access and resource needs of production systems. LogRhythm enables users to easily review activities such as network connections, application access, and system logons to help identify appropriate and inappropriate use according to policy. Additionally, because of the heightened risk associated with privileged user accounts, LogRhythm features extra controls around monitoring of privileged user activity and access management. LogRhythm uses role-based access control (RBAC) for entities as well as individual log sources for the roles within the platform. This provides an organization the granular control needed to comply with access privileges.

Section 500.09 – Risk Assessment

LogRhythm collects and analyzes suspicious network activity or activities indicative of cybersecurity risks. LogRhythm correlation rules provide alerting on events indicative of potential cybersecurity threats or attacks on the network. LogRhythm dashboards, investigations, and reports provide evidence of cybersecurity events in support of early detection and incident response. LogRhythm can help organizations break down their various structures, (e.g. networks, subsidiaries, operating companies, major systems) with clear lines about the risk and threat levels associated with each of these groups, all the way down to their subnets and individual nodes. These numbers work into a risk-based prioritization (RBP) score that weighs the significance of each log that enters the LogRhythm Platform to determine if what has happened is truly an event or only a log. Furthermore, this structure can change alongside changes to the organization, allowing LogRhythm to grow and adapt in step.

Check out LogRhythm’s white paper on NYDFS to see the complete breakdown of the NYDFS requirements and how the LogRhythm Platform can enable your compliance efforts. Ready to see the platform in action? Contact us online to request your free demo.