DFS Fines First American Insurance $1 Million for Cybersecurity Failures
The New York State Department of Financial Services (DFS) has made a decisive move against First American Title Insurance Company, imposing a $1 million fine for serious lapses in cybersecurity.
This penalty stems from a 2019 breach at First American, which led to the exposure of consumers’ nonpublic information where it was determined First American failed to adhere to DFS’s Cybersecurity Regulation (23 NYCRR Part 500.
First American handles vast amounts of personal and financial data as a title insurance company. The breach revealed a critical flaw in a program called EaglePro which resulted from a lack of adequate access controls. Any individual with a link to the application could access documents beyond their own, including those in unrelated transactions, causing a massive risk to consumer privacy.
DFS’s Cybersecurity Regulation, a benchmark since 2017 and recently amended with further cybersecurity requirements, mandates robust governance, risk assessment, and identity management procedures.
First American’s shortcomings in these areas were not just procedural but indicative of a deeper neglect in safeguarding customer data. This negligence highlighted the company’s failure to effectively implement and enforce cybersecurity policies.
DFS regulations require entities to continuously assess and update their cybersecurity measures. First American’s case is a stark reminder that compliance is an ongoing process, not a one-time checkbox.
This settlement is more than a punitive measure; it’s a clear signal to all organizations about the importance of effective cybersecurity practices.
In an era where data breaches can have far-reaching consequences, companies must be vigilant in protecting consumer information. The First American case serves as a cautionary tale and a learning opportunity for organizations to bolster their cybersecurity defenses.
This case is not just a legal precedent but a lesson in the necessity of proactive and effective cybersecurity measures in the digital age, especially for Insurance Agencies that handle non-public information for clients.
Starter 5-Step Checklist for Complying with NY DFS Cybersecurity Regulation:
Conduct Penetration Testing:
Regularly carry out penetration testing to identify vulnerabilities in your network and systems. This step is crucial for discovering potential security weaknesses that could be exploited by cyber attackers and creating a plan to fix those weaknesses.
Implement Managed Detection and Response (MDR):
Use Managed Detection and Response services for 24/7 monitoring and response to cyber threats. MDR offers advanced capabilities for threat detection, incident response, and continuous surveillance of your cyber environment.
Enforce Multi-Factor Authentication (MFA):
Implement Multi-Factor Authentication across all user access points to your internal systems. MFA provides an additional security layer by requiring multiple forms of verification, drastically reducing the risk of unauthorized access.
Limit Access Privileges:
Establish strict controls over user access privileges. Ensure that access to sensitive data and critical systems is granted on a need-to-know basis and is regularly reviewed and updated according to role changes. This practice is key in minimizing the risk of internal data breaches and unauthorized access.
Filing Proof of Compliance Documents:
Prepare and submit all necessary compliance documentation to the NY DFS. This includes your cybersecurity policy, risk assessment findings, records of penetration tests, MDR processes, MFA implementation evidence, and documentation of access privilege controls. Ensure these documents are thorough, current, and readily available.
Adherence to the NY DFS Cybersecurity Regulation requires a dynamic approach that evolves with emerging cyber threats and regulatory updates. It’s vital to not only put these measures in place but also to document and regularly audit them to demonstrate ongoing compliance.
Take the first step towards NY DFS verifying your compliance with NYDFS with a FREE Complete Technology Assessment and Compliance Review: Click here to Schedule.
Walter Contreras
Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.
