After a three-year investigation/enforcement action by the New York Department of Financial Services (“NYDFS”), NYDFS entered into a Consent Order with a large title insurer (the “Company”) for its violation of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500) (the “Regulation”), specifically, its failure to protect non-public information (“NPI”). NYDFS originally brought the enforcement action in July 2020 (and the SEC had its own separate investigation and enforcement, which was concluded in 2021).
Although the NYDFS initial statement of charges in the enforcement action alleged numerous violations of the Regulation, the consent order has pared those down to two violations, related to the Company’s failure to maintain reasonable access privileges and a corresponding lack of sufficient policies and practices related to access controls.
Alleged Regulation Violations
First, NYDFS found that the Company failed to implement access controls sufficient to prevent unauthorized users to gain access to NPI through one of the Company’s applications in violation of § 500.7. According to NYDFS, the application at issue contained documents that were accessible via a link alone (without login or authentication). In addition to the lack of required authentication to access the documents, one could replace the document ID in the URL with another sequential number and gain access to non-related documents without authorization. These issues involving unintended access to documents in the application were initially identified in a vulnerability assessment performed for the Company in December 2018 but were unaddressed until the vulnerability was discovered by a journalist who published their findings in May 2019.
Relatedly, NYDFS concluded that the Company failed to adequately maintain and implement an effective cybersecurity policy related to access controls in violation of §§ 500.3(b), (d), and (m). NYDFS noted that while the Company had many policies and procedures in place, it did not ensure complete implementation of such policies, citing the Company’s risk assessment that incorrectly classified one of its applications as one that did not contain NPI when it in fact housed documents that contained NPI. Based on that, NYDFS concluded that the Company was not “implement[ing] an appropriate, risk-based policy governing access controls.” This is consistent with NYDFS’s recent amendments to the Regulation, which emphasize the need to operationalize its cybersecurity policies through procedures developed, documented, and implemented in accordance with written policies.
Settlement Provisions
The Company agreed to a $1 million penalty, which NYDFS indicated reflected the Company’s cooperation during the investigation. The consent order also indicated that the Company submitted to NYDFS for approval a Remediation Overview and Compliance Summary detailing the Company’s efforts to address the violations in the consent order and further enhance its cybersecurity program.