Key Learnings from a Cybersecurity Mishap

Listen to the Audio Version:

The recent consent order between the New York State Department of Financial Services (DFS) and a prominent title insurance company is the latest example of financial institutions increasingly finding themselves in the crosshairs of regulators. The order serves as a cautionary tale for entities that it’s time to prioritize and implement an acceptable level of cybersecurity.

Uninitiated insurance companies doing business in New York state are subject to a set of standards known as Part 500, or the Cybersecurity Regulation, enforced by the DFS. The Cybersecurity Regulation is meant to protect consumer data, mandate security controls and ensure timely reporting of cyber incidents. Two of the standards contained in the cybersecurity regulation were at issue in this case. One standard requires covered entities to conduct a risk assessment that results in the development of cybersecurity policies around data governance, access controls and identity management. These policies should be updated as necessary to reflect changes in the entity’s risk profile. The other standard requires covered entities to limit user access privileges to systems that hold non-public information (NPI) and to encrypt NPI both in transit and at rest.

The Case Explanation
In this case, the title insurance company had developed a proprietary application that allowed parties to access images of documents related to their real estate transaction. In 2014, the company added a function that permitted its employees to create hyperlinks to these images. The problem was that the link generated by the app could be accessed by any person, without any type of login or authentication.  While employees were instructed not to use the hyperlinks to transmit NPI, there were no controls in place that prevented users from doing so.

In 2019, a reporter published an article calling attention to this vulnerability, which potentially exposed hundreds of millions of documents to the public. These documents, some of which dated back to 2003, contained a treasure trove of NPI, including social security numbers, drivers’ licenses, tax records and bank account information. In addition, users could alter their search to access other personal information. In response, the title company shut down external access to the hyperlinks, notified affected parties of the vulnerability and offered them credit monitoring. The title company also notified DFS of the vulnerability as was required under Part 500.

Upon further investigation, DFS discovered that the title company had become aware of the vulnerability five months prior to the reporter’s article. The vulnerability had been identified as part of a routine pen test, and the company’s cyber defense team issued a report indicating that the vulnerability needed to be addressed “as soon as possible.” However, no further investigation or review of the vulnerability was conducted by senior management. DFS found that the title company’s failure to implement reasonable access controls contributed to the potential unauthorized access of NPI.

Consent Order Stance
The consent order notes that the title company had plenty of policies and procedures in place to prevent the event from happening; however, they did not put them into practice and their access controls proved insufficient to keep unauthorized users from having access to NPI. As a result, the title company received a $1M penalty for which it was expressly prohibited from seeking an insurance recovery and agreed to a series of remedial and compliance measures. DFS noted the title company’s cooperation throughout the course of the investigation and applauded ongoing efforts to rectify the shortcomings in security that led to the event.

Implementing Cybersecurity Policies
This investigation underscores the importance of not only conducting risk assessments but also putting into practice the procedures that result from them. Implementing cybersecurity policies entails a combination of technical safeguards and creating a culture within the workforce that prioritizes data protection and cybersecurity. Cyber insurance is important; however, as demonstrated in this case, other safeguards are required. Here, the title company is expressly forbidden from using the proceeds of an insurance policy to offset the penalty imposed by DFS, and the costs of complying with the remedial measures are likely not covered either.

Alliant’s cyber risk consulting team works with clients to improve cyber readiness by reviewing processes and policies and developing action items to maintain good cyber hygiene.