Many of the Financial Institutions I’ve spoken to over the last two-year period weren’t even aware that the Department of Financial Services of New York (DFS) had PUT FORWARD one of the most aggressive Cybersecurity Regulations in the country. And if they did, most were very confused about it. Many thought they were “EXEMPT.”
I spent the last two years reaching as many people as possible to inform them and educate them about the fact that “NO ONE IS EXEMPT” there’s limited exemptions for organizations, but no one truly is. Fast forward to 2020 after one of the most disastrous times in American history. Post-COVID 19, you have the first publicized major fine for an Insurance Company.
First American Financial Group is the first enforcement by the Department of Financial Services regulators under the NYCRR500 that requires all Financial Institutions to maintain cybersecurity safeguards for their customer’s data. The New York State Department of Financial Services alleged that First American Title Insurance Co., the second-largest real-estate title insurer in the nation, had exposed millions of documents containing Personable Identifiable Information (PII) for years.
The cyber-attack allegedly came from weaknesses in the document management software that allowed users to view files, not requiring a password.
Back in 2017, The Department of Financial Services released a series of articles of the law NYCRR500.
“In public comments, Superintendent Linda A. Lacewell has repeatedly said, ‘Cybersecurity is the biggest threat to government and industry bar none,'” said a spokeswoman for DFS Superintendent Lacewell in an emailed statement. “The Superintendent has emphasized the DFS cybersecurity regulation will be enforced.”
The Cybersecurity Regulation specifies the steps to be taken to comply with the law as follows:
If you are a small organization of fewer than 10 employees, you are “limited exempt” You still must comply with 7 out of the 16 items of the law. If you are a larger organization, you must comply fully and assign a CISO Chief Information Security Officer that can be in-house or outsourced.
First American knew about the RISK because they had performed a Cybersecurity Risk Assessment back in 2018, they failed to act. They made it easier for cybercriminals to get into their systems.
Have you had a Cybersecurity Risk Assessment? It is truly the first line item in the regulation and will help you understand your needs. It may save your business.