CYBER CORNER

The recent consent order between the New York State Department of Financial Services (DFS) and a prominent title insurance company (the “Company”) is the latest example of financial institutions increasingly finding themselves in the crosshairs of regulators. The order serves as a cautionary tale for covered entities to prioritize cybersecurity.

Insurers doing business in New York state are subject to a set of standards known as Part 500, or the Cybersecurity Regulation, enforced by the DFS. The Cybersecurity Regulation is meant to protect consumer data, mandate security controls, and ensure timely reporting of cyber incidents. Two of the standards contained in the Cybersecurity Regulation were at issue here. One standard required covered entities to conduct a risk assessment to inform the development of cybersecurity policies around data governance, access controls, and identity management. These policies should be updated as necessary to reflect changes in the entity’s risk profile. The other standard required covered entities to limit user access privileges to systems that hold non-public information (NPI) and to encrypt NPI both in transit and at rest.

In this case, the Company had developed a proprietary application allowing parties to access images of documents related to their real estate transaction. In 2014, the Company added a function that permitted its employees to create hyperlinks to these images. The problem was that a link generated by the app which was intended for one user could be accessed by any other user, without further authentication. While employees were instructed not to use the hyperlinks to transmit NPI, there were no controls in place that prevented users from doing so.

In 2019, a reporter published an article calling attention to this vulnerability, which potentially exposed hundreds of millions of documents to the public. These documents contained a treasure trove of NPI, including social security numbers, drivers’ licenses, tax records, and bank account information. In response, the Company shut down external access to the hyperlinks, notified affected parties of the vulnerability, and offered them credit monitoring. The Company also notified DFS of the vulnerability as required under Part 500.

Upon further investigation, DFS discovered that the Company had become aware of the vulnerability five months prior to the reporter’s article. The vulnerability had been identified as part of a routine penetration test, and the Company’s cyber defense team issued a report indicating that the vulnerability needed to be addressed “as soon as possible.” However, no further investigation or review of the vulnerability was conducted. DFS found that the Company’s failure to implement reasonable access controls contributed to the potential unauthorized access of NPI.

The consent order notes that the Company had policies and procedures in place to prevent the exposure; however, they did not put them into practice and their access controls proved insufficient to keep unauthorized users from having access to NPI. As a result, the Company received a $1M penalty for which it was expressly prohibited from seeking an insurance recovery and agreed to a series of remedial and compliance measures. DFS noted the Company’s cooperation throughout the course of the investigation and applauded ongoing efforts to rectify the shortcomings in security that led to the event.