What do the NYDFS fines mean for multi-factor authentication?
The New York State Department of Financial Services (NYDFS) has reached a settlement with National Securities Corporation (the Company) requiring a payment of $3m for alleged failures to properly implement multi-factor authentication (MFA), provide notice to NYDFS of two cybersecurity events and for falsely certifying compliance for the 2018 calendar year, all of which are breaches of the NYDFS Cybersecurity Regulations.
Note that the NY Cybersecurity Regulations apply to “Covered Entities”, namely,“any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
The scope is therefore narrower than GDPR and other, more general, data protection legislation although there are a number of parallels that can be drawn. While the Cybersecurity Regulation applies to fewer entities, for the entities it does apply to, the scope of protected information is arguably broader. All “non-public information” (NPI) must be protected (whether or not it would constitute personal data under the GDPR).
One area to flag is the NYDFS’ apparent widening of the MFA requirements in its Cybersecurity Regulations. The wording of the regulation (500.12(b)) states as follows:
“Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” (my emphasis)
However, the Consent Order states;
“Certain third-party applications used by the Company, which accessed the Company’s internal network or contained consumer NPI, did not have MFA fully implemented, and one application does not have MFA fully implemented, in violation of 23 NYCRR § 500.12(b).”
The above extract from the Consent Order seems to widen the MFA requirement to now apply in all circumstances in which third party applications used by the Company access the internal network, whether or not these applications are being accessed by an employee from an external network. More guidance from the NYDFS is needed to determine whether this was the intended outcome, and what the NYDFS’ interpretation of 500.12(b) is.
The $3m settlement with the Company also follows a recent $1.5m dollar settlement with Residential Mortgage Services, Inc which also cited a failure to investigate and respond appropriately to a cybersecurity incident. Clearly this is a key focus area for the NYDFS.
While it does not set a precedent in a legal sense, it gives a good indication of the NYDFS’ regulatory focus. This aligns with the focus of other regulators who are quick to act following cybersecurity incidents and/or data breaches (see below).
The penalty follows on from a cybersecurity incident suffered by the Company. A number of the big GDPR enforcement fines we have seen (particularly from the ICO in the UK) have similarly followed on from cybersecurity incidents and data breaches.
While GDPR doesn’t prescribe specific security measures (such as MFA), it does require the implementation of “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. One of the main lessons that can therefore be learned from the NYDFS penalty is that not implementing required security measures can be a costly decision.
Due to the nature of the cybersecurity incident (i.e. the threat actor obtained access to personal data) this would also have constituted a data breach under GDPR. As such, if it had affected data subjects whose data was covered by GDPR, the Company could have faced enforcement action from multiple regulators for breaches of different regulations stemming from the same facts.
It's also worth noting that a constituent element of the penalty relates to the Company’s failure to notify the NYDFS of two cybersecurity incidents. Pursuant to 500.17(1)(a), NYDFS must be notified on any Cybersecurity event where notification is also required to any other “government body, self-regulatory agency, or other supervisory body”.
Similar (and potentially overlapping) notification requirements exist under GDPR and these must be borne in mind by organizations in the aftermath of any security incident.
One of the key reactions that business compliance teams should have is to review breach response policies and procedures to ensure that they cover all applicable reporting requirements.
The timeframe for reporting breaches under both the GDPR and the NYDFS Cybersecurity Regulation is 72 hours from discovering the breach so time is of the essence. Staff should be trained to identify potential breaches and escalate them within the organization appropriately to ensure legal advice can be obtained where necessary as to whether a report needs to be made.
Part of the Company’s obligations under the Consent Order is to implement a Cybersecurity Incident Response Plan. Better therefore to proactively consider and implement such a plan before an event has occurred than be forced to do so after the fact by a regulator.
Another crucial takeaway is that all four of the cybersecurity incidents referred to in the Consent Order (the two that were notified to the NYDFS and the two that the Company failed to notify the NYDFS about) are all thought to have been caused by phishing schemes. Phishing emails are also cited as the cause of the cybersecurity incident referred to in the $1.5m Residential Mortgage’s consent order.
As is commonly the case, the weakest link in the Company’s security was therefore the human element. Compliance teams should redouble their efforts in training staff to identify suspicious emails and follow the necessary policy (i.e. contact IT teams and delete the offending emails without opening them). Again, as part of the Consent Order the Company was required to submit to the NYDFS cybersecurity training to be rolled out to all personnel.
The expansion of the scope of the MFA requirement is also something that compliance teams should review carefully. Where entities subject to the NYDFS utilize cloud-based applications that are accessed from within the internal network, these may previously have been overlooked when considering where to implement MFA. Given the provisions of the Consent Order, this may need to be revisited.