Asked what poses the greatest threat to the US financial system and their organizations right now, four bank CEOs at the May 26 congressional hearing responded cyber. “Cyber, and specifically the potential impact on consumer data and data privacy,” said James Gorman, CEO of Morgan Stanley.
In July 2020, the DFS took an unprecedented step. It charged an insurance company not for being breached, but for having defects in its cybersecurity program. The DFS alleged that management failed to address a vulnerability for six months after discovering it, ignored recommendations from its cybersecurity team, and misclassified the vulnerability as “low.”
The company’s website allegedly contained a defect that could allow malicious actors to manipulate its URL and retrieve sensitive customer data such as bank account information and Social Security numbers.
The enforcement action was the first under DFS’s 2017 cybersecurity regulation (i.e., Part 500), which took full effect in March 2019. The regulation contains broad cybersecurity expectations for financial institutions, with requirements for encryption, multi-factor authentication, governance, and reporting. As a result, what would have previously been an examination finding has become a violation of regulation, which triggers the DFS’ enforcement powers.
The DFS’s new focus on cyber enforcement comes from Superintendent Linda Lacewell, a former federal prosecutor who took the helm in 2019. She created the DFS Cybersecurity Division — a first of its kind for a financial industry regulator — and placed former prosecutors in key roles. The Cyber Division has equal standing with the Banking, Insurance, and Consumer Protection and Financial Enforcement divisions.
With this first enforcement action, Lacewell sent a clear message: Data loss is no longer the sole trigger for DFS action. A lack of vigilance or lax risk management can spell serious trouble for any financial institution.
Lesson 1: An organization could be subject to an enforcement action (a public consent order or fines) even if a breach hasn’t occurred. If the DFS has evidence that the organization has willfully or neglectfully let its cyber protocols slip, in violation of its regulations, it can file charges against the organization.
The DFS has also expanded what constitutes an enforcement action by levying a $1.5 million penalty last March on a licensed mortgage banker for failing to report a cyber breach. In 2019, criminals breached the email account of an employee who had access to sensitive personal data of many loan applicants. The company did not investigate and identify the exposed consumer data until DFS prompted it to act. DFS also found that the mortgage banker lacked a comprehensive Cybersecurity Risk Assessment, which is required by its Part 500 cybersecurity regulation.
Lesson 2: Delays in reporting a breach can result in sizable penalties.
DFS actions continue to pick up steam. In April, DFS announced an enforcement action against an insurance company over alleged defects in its cybersecurity program. The allegations:
The DFS is signaling that it is not going to give firms a pass. Implementing MFA is challenging. If a firm uses alternative controls, it must provide documentation that they’ve been subject to both a risk assessment and the Chief Information Security Officer’s approval in writing.
Lesson 3: Part 500’s flexibility is not a license to slack on the rule’s more challenging requirements, such as MFA.
Lesson 4: An organization that falsely certifies compliance with Part 500 is in violation of the regulation and will receive incremental sanctions.
These lessons reverberate in the fourth cybersecurity enforcement action involving a civil monetary penalty in the past year. On May 13, the DFS announced that two related life insurance companies will pay a penalty of $1.8 million for failing to implement MFA, without reasonably equivalent or more secure access controls approved in writing by the CISOs. Specifically, the companies fell victim to phishing attacks designed to harvest employee email account credentials. The result: exposure of a significant amount of sensitive and personal data of customers. Further, DFS found that both companies falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018 because MFA was not fully implemented.
Overall, the DFS is making it clear that weaknesses in basic cybersecurity practices will not be tolerated. Its stronger enforcement may encourage financial services firms to focus on, and invest in, cyber hygiene, and to proactively assess and mitigate risks.
As FS regulators have increasingly emphasized the importance of operational resilience, OCC notifications known as “matters requiring attention” (MRAs) are climbing. When unremediated, MRAs, which contain confidential supervisory information, can form the basis for public enforcement actions. At that point, regulators issue cease-and-desist orders or impose sanctions, including civil monetary penalties (“fines”).
Recent consent orders by the OCC involved violations of standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information (12 C.F.R. Part 30).
Like the DFS enforcement actions, the cases share a theme: Failure to build cybersecurity and privacy into overall risk management practices can result in sanctions. Cybersecurity and consumer protection are intertwined in many parts of the business, such as cloud security, data center operations and vendor management.
At one bank, the OCC discovered significant cyber risks from inadequacies in the compliance management systems, IT programs, and internal controls and information systems. In investigating cloud security at another bank, it held management accountable for the shortcomings in internal controls. It found two common pitfalls with cloud adoption: the lack of an effective risk assessment/risk management process before migration to the cloud, and numerous control weaknesses and gaps in the cloud operating environment. In a third case, the OCC found that the entities had weak vendor management controls and failed to exercise proper oversight of the decommissioning of business data centers.
Although the New York cybersecurity regulation covers only financial institutions regulated by DFS, it gives the DFS power to enforce rules at non-financial organizations when cyber attacks involve financial institutions.
Case in point: in a 2018 finding, following a large breach, the DFS found that credit rating agencies were subject to its oversight and subsequently implemented registration requirements for those companies, subjecting them directly to Part 500. Following that finding, the DFS joined a coalition of 50 attorneys general in the investigations that led to the largest settlement in data breach history in the US, demonstrating its willingness to protect New York state residents’ rights to privacy and data protection.
DFS’ more recent investigations into the compromise of social media platforms and associated fraud involving cryptocurrency further illustrate its regulatory reach. Part 500 has also served as the model for the NAIC’s Insurance Data Security Model Law and the Federal Trade Commission’s revised rule on cybersecurity.
It’s time to strategically brief the board and CEO that enforcement winds are shifting, and to get the support you need to strengthen your organization’s cybersecurity posture.
Corporate directors and CEOs demand assurance from CISOs and CIOs that they’re going to keep the company out of the headlines. They immediately want to know if their organization is vulnerable to attacks that draw unwanted attention from the media, consumers or investigators.
A fifth of corporate directors say that a cyber breach reflects “very negatively” on a company’s board, according to our 2020 survey of 693 corporate directors. Yet only 32 percent of corporate directors understood the company’s cyber vulnerabilities very well. (Compare that with 87 percent who have high familiarity with the company’s strategy, and 68 percent who know the competitive landscape.)
Risks are higher, with rising frequency and more significant attacks. Cybercriminals have taken advantage of the increased attack surface that resulted from a pandemic-related large-scale shift to remote work, COVID-19 scams, new third-party arrangements cobbled together quickly, and hasty shifts to cloud services.
Ransomware payments averaged $220,298 in the first quarter of 2021, up 43% from the fourth quarter of 2020. Nation-state actors have gotten a foothold in the systems of multiple federal government agencies through malware inserted into software updates. More than 167,000 people reported to the FTC in 2020 that a fraudulent credit card account had been opened in their name, using their personal information. And the list goes on.
The private sector could make use of the impetus from the DFS’ more muscular enforcement of its cybersecurity regulation to step up its self-scrutiny. They would be well advised to do so: the DFS could well become a “superspreader” of regulatory practices. Already it serves as a model for other regulators, including the US Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners.
Even with a lack of single regulation on cybersecurity, different agencies advocating for different objectives (consumer protection, consumer privacy, unfair business practices or antitrust) can take action. For a single shortcoming, an organization could face multiple actions from a number of entities including the SEC, Department of Justice, Federal Trade Commission, the European Union and states.
55% of CISOs and CIOs we surveyed in April 2021 agree that stricter enforcement will cause financial institutions to improve their cybersecurity posture.
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US
Managing Director, PwC US
Managing Director, Cybersecurity and Privacy, PwC US