Validating Cyber Compliance in Light of the First DFS Enforcement Action

We recently reported on the New York State Department of Financial Services' (DFS) first enforcement action under its 2017 cybersecurity regulation ("Part 500"), which prescribes how financial services companies licensed to operate in New York should construct their cybersecurity programs. DFS' statement of charges provides important insight into the agency's priorities and expectations when assessing how a company has addressed and mitigated a data exposure, and offers a roadmap for how other regulators might interpret similar data security laws being implemented across the country. Given increasing regulatory scrutiny and the fact that inappropriate cybersecurity procedures and practices could result in significant financial liabilities, companies should proactively re-assess where they stand in relation to applicable cyber mandates.

We highlight here some key takeaways from the recent DFS enforcement action that entities subject to Part 500 should carefully consider when validating their current state of compliance.

Comprehensive Risk Assessment

Part 500.09 requires a company to conduct periodic risk assessments of its information systems. DFS alleged the company failed to perform an adequate risk assessment because it failed to identify where nonpublic information was stored and transmitted within its information systems and failed to identify the availability and effectiveness of controls to protect such information and systems. The action demonstrates that DFS requires covered entities to have a comprehensive understanding of how sensitive consumer information is received, stored, used or processed, and disseminated in the course of business operations. Business units and staff with such knowledge should participate in conducting the required risk assessment.

Prompt Remediation of Identified Vulnerabilities

Part 500.05 requires a company to conduct periodic penetration testing and vulnerability assessments of its information systems. Best practice requires that any discovered vulnerability be remediated by capable personnel within a time frame that accords with the severity and scope of the vulnerability. DFS alleges the company conducted penetration testing and discovered a vulnerability that resulted in the exposure of sensitive documents, but failed to remediate the problem as a result of a "cascade of errors" that included not classifying the vulnerability as more than "low" severity despite the magnitude of the document exposure; failing to follow its own internal cybersecurity policies by neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability; failing to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; failing to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability; and assigning remediation of the discovered vulnerability to "a new employee with little experience in data security."

Companies should take prompt remedial action in accordance with their policies and procedures if they discover a data exposure, and should make clear the responsibilities of individual departments and employees in responding to vulnerabilities and data breaches.

Centralized Cybersecurity Awareness Training

Part 500.14 requires a company to provide regular cybersecurity awareness training for all personnel. DFS alleges the company's employee training was insufficient because it was delegated to individual business units, which designed and conducted training at their own discretion with no centralization or coordination. In addition, the sole control preventing the transmission of sensitive consumer information was a mere instruction to employees and users not to send such information. Companies should develop centralized and regularly audited cybersecurity awareness training and provide enhanced training for those employees who specifically handle or control sensitive consumer information.

Potentially Large Penalties Despite No Allegation of Consumer Harm

Part 500 empowers DFS to pursue enforcement under any applicable law. DFS references section 408 of the Financial Services Law and claims there were approximately 255 million violations and that each violation constitutes a fine of up to $1,000. DFS has not claimed that consumers were harmed by the alleged exposure of documents. Companies should take note that DFS' position raises the possibility of massive financial penalties even without identifiable harm to consumers.

Final Thoughts

Following enactment of Part 500, DFS created a cybersecurity division and provided extensive cyber training to its examiners. Cybersecurity is included in all regular DFS examinations. Now that active enforcement of the regulation has begun, covered entities should ensure that they'll meet the challenge by proactively validating their current state of cyber compliance.