Cybersecurity

On October 14, 2020 NYDFS issued a report of its investigation of the July 2020 Twitter hack. According to agency findings:
– Hackers accessed Twitter’s systems by calling Twitter employees and claiming to be from Twitter’s IT department; hijacked Twitter accounts of politicians, celebrities, and entrepreneurs with hundreds of millions of followers; and then engaged in a bitcoin fraud scheme causing at least $118,000 in losses.
– Cryptocurrency firms regulated by NYDFS — all of which are subject to the Department’s comprehensive cybersecurity regulation — responded quickly to block attempted transfers to the Bitcoin addresses used by the fraudsters, thereby mitigating fraud losses.
– Although it has 330 million average users per month, at the time of the attack Twitter did not have a chief information security officer, adequate access controls and identity management, or adequate security monitoring.

The report recommends that the largest social media companies should be designated as “systemically important” institutions with prudent regulation to manage heightened cybersecurity risk. Expect this to have impact. DFS continues in a leadership post in cybersecurity enforcement.

The NYDFS report may be found here: https://www.dfs.ny.gov/Twitter_Report

On December 18, 2020, NYDFS issued a supply chain compromise alert arising out of the SolarWinds hack. Some hot takes on Friday’s NYDFS guidance :
– If a regulated entity has been affected by the hack either directly, or indirectly through an affiliate or third party service provider, the entity should give notice to NYDFS right away – err on the side of disclosure
– NYDFS considers notice essential to understanding the full scope of the attack
– NYDFS will use this information to formulate a supervisory response that seeks to assist affected institutions and prevent further damage – the transparency necessary for an effective government response
– This is not a “gotcha” moment, but an opportunity for NYDFS to marshal resources to assist firms in responding to the attack and coordinate a response with other government agencies (FBI; DHS; etc.)
– Coincidence? On the same day NYDFS issued this specific guidance around its established cybersecurity regulation, federal banking regulators noticed a proposed rulemaking for the first time that requires notification to an entity’s principal federal regulator of a “computer-security incident.”

The guidance may be found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20201218_supply_chain_compromise_alert

NYDFS issued a report last week concerning Facebook data privacy deficiencies, following a WSJ report that Facebook received sensitive user data from some popular apps, including a fertility-tracking app named “Flo,” for use in Facebook’s analytics tool.
– Facebook’s subsidiary, Facebook Payments Inc., is licensed as a money transmitter but the report found Facebook Payments “had no involvement in the privacy issues examined.” Since Facebook, the parent, indicated its willingness to cooperate “fully” the parties sought to avoid any clash about jurisdictional issues.
– NYDFS found that, while Facebook had taken steps to remediate, such as building a screening tool that would reject sensitive health information, it failed to “engage fully” with respect to other remediation proposals, and its effort to enforce its own policies against collection of sensitive data was “seriously lacking.”
– In January 2021, the Federal Trade Commission reached a proposed settlement with “Flo,” the fertility tracking app, requiring it to keep promises about user privacy.
– NYDFS argues this is another incident demonstrating the need for greater regulation on the federal and state level.

The NYDFS report can be found here: https://www.dfs.ny.gov/system/files/documents/2021/02/facebook_report_20210218.pdf

The proposed Consent Order and Complaint for the Flo Health matter can be found here: https://www.ftc.gov/enforcement/cases-proceedings/1923133/flo-health-inc

On March 9, 2021 NYDFS issued another cybersecurity alert to regulated entities. It disclosed that in recent days thousands of organizations were compromised via zero-day (newly discovered) vulnerabilities in the Microsoft Exchange Server. Microsoft made patches available for these vulnerabilities on March 2 but many organizations apparently were compromised before the patches were either available or applied. NYDFS is urging all regulated entities with vulnerable Microsoft Exchange services to act immediately by patching or disconnecting vulnerable servers. CISA has also released a current activity update outlining how to search for the type of compromise identified.

The alert may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103092

On March 30 2021 NYDFS issued a followup cybercrime alert: “This cybercrime campaign is a serious threat to the personal information of New Yorkers, and we urge all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information. All financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented [] the robust access controls required by DFS’s cybersecurity regulation, 23 NYCRR 500.”

https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210330_cyber_alert_followup