NYDFS Files First Suit: What You Should Know

NYDFS Files First Suit: What You Should Know

It’s crucial that security teams establish a comprehensive incident and breach response plan that defines what constitutes an incident (thus establishing authority and accountability for action) and identifies business and legal stakeholders for escalation actions.


Cybersecurity is becoming increasingly central to regulatory compliance, with more and more attention being required to cope with new privacy laws and regulations enacted by international entities (GDPR in the European Union, Brazil’s LGPD, Canada’s PIPEDA) and multiple US state governments (led by California and New York). The challenge many organizations struggle with is understanding what cybersecurity capabilities must be in place to meet regulatory needs.


Yet some overwhelmed organizations may fail to maintain compliance through complacency or by downplaying the likelihood that a regulation will be enforced. This is naïve: we’re seeing regulators paying closer attention to how businesses are protecting consumer information and the bar is being continuously raised for privacy and cybersecurity regulatory requirements.


If your organization doesn’t typically have regulators auditing your privacy and cybersecurity program, don’t be complacent. If you have a significant security incident, especially when consumer information is involved, it’s very likely that you’ll get a call. How you handle the response will directly affect the outcome of any investigations – especially if the incident is reported to regulators or made public by an outside source.


We’re now seeing this scenario play out with New York State Department of Financial Services (NYDFS) 23 NYCRR 500. The NYDFS has filed its first lawsuit, and the complaint centers on four familiar challenges. The NYDFS alleges multiple failures by the organization, specifically charging that it:


  • Failure to follow internal policies, and neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;

  • Misclassification of the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;

  • Failure to conduct a reasonable investigation into the scope and cause of the exposure after discovery by an internal penetration test in December 2018, reviewing only ten (10) of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and

  • Failure to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.


This incident was first publicly reported by Brian Krebs in May 2019, seemingly before any report to the superintendent, which is required within 72 hours from determination that a cybersecurity event has occurred.


The NYDFS press release reinforces the governance and risk management components of an information security program, starting with the basic edict to follow company policy. The NYDFS500 requires organizations to maintain a written cybersecurity policy that’s approved by a senior officer, board of directors or appropriate committee. Policies establish the organization’s rules and establish accountability; there must be consequences for not actively following the official policy.


If you find yourself facing a significant security incident, your response can determine the level of scrutiny you’ll receive from customers and regulatory authorities. Organizations are getting better at incident identification and analysis, but we continue to see evidence in the press that many still struggle with incident response. In the new NYDFS lawsuit, exposure of sensitive information was detected, but there wasn’t a well-honed action plan.


It’s crucial that security teams establish a comprehensive incident and breach response plan that defines what constitutes an incident (thus establishing authority and accountability for action) and identifies business and legal stakeholders for escalation actions. Components of the plan should include:


  • Identification of an incident commander to coordinate all incident response activities through resolution

  • Assignment of authority to make critical decisions (such as taking a system or service offline)

  • Identification of key roles and individuals to conduct the incident investigation

  • Methodology to evaluate incident severity

  • An evaluation of incident reporting requirements that enable determination of who must be notified under what circumstances, by when and who will be responsible for notification

  • A notification strategy outlining communication guidelines for affected audiences


NOTE: The NYDFS establishes two scenarios under which covered entities need to report cybersecurity events (notice the regulation not say “confirmed breach”):


  • When the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.

  • When the cybersecurity event triggers a separate obligation of the company to report to a government body, self-regulatory agency or any other supervisory body.


An organization’s response to incidents should hinge on the assessment of severity, which should be based on key facts gathered and analyzed by the incident response team. Examples of key inputs to severity analysis include:


  • Nature of the incident (e.g., whether data was potentially destroyed, accessed or unavailable)

  • Type of data that may be affected

  • Potential for harm to customers/consumers, personnel, third-parties, etc.

  • Impact of the incident on business processes

  • Status of the incident (e.g., whether the incident is isolated, continuing or contained)


The incident commander and other key personnel should periodically re-evaluate all elements of the incident response plan to ensure the organization’s response is assigned the appropriate resources and urgency as well as to ensure that appropriate communications tactics are in place.


As the ancient Greek poet Archilochus wrote, “We don't rise to the level of our expectations; we fall to the level of our training.” Having a plan in place establishing how to respond to security events helps an organization remain in control in the event of an incident, which will in turn assures higher levels of customer trust, minimizes business impacts and provide the best possible outcome of a regulatory investigation.

John Clark
Executive Director, Office of the CISO
John Clark is an information security professional with over 20 years of experience in various industry sectors including legal firms, financial services, utility companies, and technology service providers. As executive director, executive solutions in the Office of the CISO at Optiv, Clark leverages his experience and passion to help organizations build and improve business-focused security strategies and programs.