Financial Institutions Rattled by NYDFS Entry into Cybersecurity Enforcement
By : Mark Kuivila
On July 21, regulators at the New York Department of Financial Services (“DFS”) announced their first action enforcing the state’s unique cybersecurity law for financial institutions and insurers. The charges levied against First American Title Insurance Co. are a wake-up-call to covered entities that DFS is eager to enforce the regulation and will do so even when the violation hasn’t directly harmed consumers.
Developed in 2016, the DFS cybersecurity rules require covered entities to implement a variety of safeguards and protocols designed to strengthen their cybersecurity programs and better protect consumers’ personal information. Regulators factored in a two-year implementation period, which ran its course in March 2019, and covered entities have been anxiously awaiting the department’s entry into the enforcement arena.
The charges against First American concern a security deficiency on the company’s public website that allegedly left the personal information of millions of consumers susceptible to exposure. According to regulators, over 800 million mortgage records at First American were accessible to “anyone with a web browser.” First American claims that very few consumers actually had their personal information exposed and that none of those consumers were from New York. While that may be the case, DFS has made clear that it intends to enforce the regulation even if consumers didn’t suffer direct injury from the violation.
Given DFS’s apparent enthusiasm for a broad interpretation of the cybersecurity rules, covered entities should approach their compliance efforts with urgency. Many institutions have already taken concerted steps to ensure that their cybersecurity programs align with the regulation, but in light of the action against First America, covered entities would be well served to revisit these protocols and address any potential deficiencies or vulnerabilities before regulators come knocking.
Additionally, institutions engaging vendors with access to their customers’ personal information need to ensure that these third parties have adopted adequate cybersecurity programs of their own. While your third-party vendors may not qualify as covered entities under the rule, your institution will still be liable for the vendor’s actions in the event of a breach or other security deficiency. Your institution should establish clear compliance expectations with vendors early in the relationship, verify that they have implemented the necessary security protocols, and monitor their compliance on an ongoing basis.
Furthermore, vendors should view their own cybersecurity compliance as an opportunity to build competitive advantage in the procurement process. Showing potential customers that your organization is committed to a robust privacy and security program establishes a valuable level of trust from the outset of the relationship, providing customers with peace-of-mind and distinguishing your organization from less prepared competitors.
In these challenging times, it may feel as if some aspects of life have slowed to a crawl, but the charges against First American clearly show that for regulators it is still very much business as usual. Don’t let your compliance slip through the cracks! Request a demo of our New York DFS cybersecurity module today.