A recent $3 million cybersecurity consent order issued by the New York Department of Financial Services provides valuable lessons on how financial service firms—even those outside of New York—should ensure the security of their systems and communications tools, says Marc Gilman, general counsel of Theta Lake.
The New York Department of Financial Services (DFS) has been busy in 2021 with several cybersecurity-related matters. It introduced a cybersecurity insurance risk framework, issued a security alert about Microsoft Exchange, sent out another alert about fraud, and entered into a consent order with Residential Mortgage Services, Inc.
On April 14, the DFS announced another consent order with National Securities Corporation (NSC) for violations of 23 NYCRR 500, its cybersecurity regulation, with a significant fine of $3 million (twice that of Residential Mortgage). It included remedial actions, including submission of refined incident response plans, risk assessments, and training and monitoring materials—all worth examining for lessons for compliance and security practitioners.
The impact of the consent order goes beyond insurance and financial services organizations in New York. The DFS cybersecurity framework served as the basis for the NAIC’s model cybersecurity law, which is now active or proposed in roughly 20 states, and intersects with many of the common controls found in SOC 2, ISO 270001, and other security frameworks.
Even if your organization is not subject to the DFS regulation, take heed of the findings below.
Multi-Factor Authentication Is Essential
NSC reported two incidents to the DFS, and common to the incidents was the fact that the compromised accounts did not have multi-factor authentication (MFA) enabled, despite a clear directive to do so under Section 500.12 of the regulation. During the DFS’ inquiry into NSC it uncovered nearly 60 third-party applications that did not have MFA enabled. Moreover, the DFS discovered two additional cybersecurity events that had not been reported to DFS regulation requirements.
In the current remote work environment, enabling MFA and other security controls on mission critical collaboration and chat platforms like Zoom, Slack, and Microsoft Teams is essential. Protecting the NPI transmitted over collaboration and chat applications and leveraging supporting supervisory applications to detect potential data leakage and exposure must be top of mind for security and compliance teams at DFS covered entities.
Enabling MFA on any applications that touch nonpublic information (NPI) is critical. While the nuts and bolts of configuring systems to leverage MFA are often framed as an IT issue, operationally the reality is more nuanced. For internally developed applications, ensuring that the software development lifecycle accounts for MFA during the planning stages is critical.
In the context of third-party applications, maintaining accurate and up to date application inventories that define MFA as a mandatory control is a must. Section 500.8 of the DFS regulation (also covered in the NAIC model) discusses application security requirements for both internally and externally developed systems, reinforcing the need for strong assessment processes.
Guidance for Incident Repsonse Plans, Risk Assessments
The additional remedial actions in NSC’s consent order include requirements to refine incident response plans, update risk assessments, and conduct training and monitoring of staff. Each of these tasks requires cross-functional coordination between internal groups to be successful.
A solid incident response program must consider how identified events are assessed and categorized as well as how communications with customers, employees, vendors, outside counsel, and insurers are conducted to account for regulatory reporting requirements, assertion of legal privilege, and reputational and brand implications.
Planning and coordination between internal and external stakeholders from security and investigations to finance and PR are critical for developing an incident response plan with clearly articulated roles and responsibilities that can be invoked when a potentially relevant event is identified. Although unclear from the consent order, NSC’s reporting failures may have stemmed from an incomplete or inaccurate incident response plan.
Regarding risk assessments, security teams must work with compliance, privacy, legal, and other departments to appropriately classify potential exposure to compromised NPI and incorporate relevant third-party vendor risks. Seeking legal and privacy input about the implications of the DFS regulation as well as other rules like the SEC’s Reg S-P and Reg S-ID and global privacy requirements under the GDPR and CCPA are essential to building a complete and accurate risk register.
Finally, security awareness training, phish testing, and monitoring are often jointly owned by security and compliance. Security teams offer critical technical knowledge about emerging threat actors and vulnerability trends while compliance often maintains the platforms and programs used for employee training and oversight.
In terms of recent security indicators, it is worth noting that two of the incidents at issue in NSC involved impacted email accounts, including the CFO’s, that were surreptitiously configured to automatically forward messages to outside threat actors, resulting in the exposure of sensitive information to the third-party hacker.
This type of email forwarding attack is increasingly common—it is nearly identical to one that impacted registered broker-dealer Supreme Alliance LLC and was the subject of a FINRA AWC in December 2020—so enhanced phish testing on this particular threat is crucial.
DFS’s 2021 cybersecurity activity and the proliferation of equivalent rules at the state level suggest that compliance and security failures will result in meaningful enforcement penalties. The cybersecurity mandates of the DFS and other state cybersecurity rules articulate a holistic set of best practices that result in the more effective protection and management of firm and customer data. These new regulations reinforce trust, minimize the potential of data loss, and evidence a baseline vigilance and preparedness that can ultimately be a product differentiator.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owner.