Lessons for lenders from the first cybersecurity enforcement action by NYDFS
Offit Kurman Partners Published in Housing Wire on NYDFS Cybersecurity Enforcement.
Three years after enacting one of the country’s most exacting cybersecurity regulations, the New York State Department of Financial Services recently filed its first cybersecurity enforcement action.
In its July 21, 2020, statement of charges, NYDFS alleged that First American Financial, one of the country’s largest title insurers, failed to properly respond to a security vulnerability on its website. After a penetration test uncovered the vulnerability, First American misclassified the vulnerability’s risk, failed to properly investigate the vulnerability and the resulting exposed documents, and rejected the recommendations of its in-house cybersecurity team.
As a result, NYDFS alleges that the insurer’s website exposed millions of documents containing consumers’ nonpublic personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ licenses. NYDFS seeks civil monetary penalties that could leave First American exposed to millions in liability.
While we await the results of the NYDFS’s hearing scheduled for October 2020, several key lessons can be learned from this enforcement action:
First, expect cybersecurity to remain a regulatory focus. The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for the NYDFS, even during the COVID-19 pandemic. NYDFS-licensed mortgage lenders are required to attest annually to compliance with the state’s cybersecurity requirements, which were enacted in March 2017.
If your mortgage company has attested to compliance but has not fulfilled NYDFS requirements — such as multi-factor authentication, cybersecurity training for employees, encryption, and penetration testing — you should prioritize completion as soon as possible.
Second, centralize controls and empower your Chief Information Security Officer (CISO). NYDFS alleges that First American’s controls and training were decentralized, and the company’s CISO was given limited responsibility for implementing cybersecurity processes throughout the company. Many mortgage lenders outsource the CISO function based on limited internal capabilities and capacity, as permitted by NYDFS regulations.
Nevertheless, it is important to ensure that outsourced CISO recommendations are heeded by a mortgage company’s top management. Controls and training should be implemented consistently company-wide, rather than allowing each business unit to implement its own processes.
Third, involve outside counsel when sensitive cybersecurity issues arise. The NYDFS’s charges reveal First American’s employees’ internal confusion and disagreements about how to address the vulnerability. Outside counsel can coordinate a response and minimize the chance that employees will prematurely speculate, and arrive at conflicting conclusions, about a security vulnerability.
And, outside counsel can establish an attorney-client privileged channel for communications, which will reduce the likelihood that unflattering documents relating to a data incident will become evidence in a legal proceeding. Mortgage lenders should retain, or at a minimum identify, competent cybersecurity counsel before cybersecurity issues arise.
Fourth, use outside cybersecurity experts. Under the direction of outside counsel, outside cybersecurity experts should be engaged to provide an independent, objective assessment of cybersecurity issues. This is preferable to relying on a mortgage lender’s own employees, who may be tainted by conflicts of interest.
Involving outside cybersecurity experts will also lessen the possibility that a mortgage lender’s employees will have internal disputes on how to respond to a cybersecurity issue. From the perspective of employees, these internal disputes can destroy morale. From the perspective of the NYDFS, these internal disputes can be problematic.
ABOUT DANIELLA CASSERES
Daniella Casseres’ legal practice focuses on laws and regulations governing mortgage lenders, mortgage brokers, financial institutions and consumer finance companies. She regularly advises clients on state and federal compliance laws and regulations including fair lending, advertising, licensing, privacy, TILA, RESPA, FHA, FCRA, and BSA requirements.
Ms. Casseres drafts and reviews wholesale lending and mortgage loan purchase agreements, and structures loan originator compensation for mortgage companies. She also represents clients in federal and state regulatory investigations and assists in related litigation matters.
ABOUT CHARLES NERKO
Charles J. Nerko is a problem-solving litigator who uses a practical and business-conscious approach to obtain favorable results amid critical circumstances. Mr. Nerko has a track record of success resolving disputes involving data privacy, technology, contracts, business torts, and restrictive covenants. He also advises clients on strategies to minimize litigation risks and protect their confidential information.
Mr. Nerko is a go-to advisor and litigator in new areas of the law and emerging technologies, and clients turn to him for swift, decisive victories when their reputations or confidential information assets are at risk. Mr. Nerko has represented the New York Credit Union Association in a technology dispute, as well as credit unions throughout the country in data security and technology contract litigation against the largest provider of online banking and outsourced technology services to financial institutions. He has also represented a variety of businesses in “bet the company” disputes concerning the misappropriation of confidential information.
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing full-service law firms in the United States. With 14 offices in seven states, and the District of Columbia, and growing by 50% in two years through expansions in New York City and Charlotte, North Carolina, Offit Kurman is well-positioned to meet the legal needs of dynamic businesses and the individuals who own and operate them. For over 30 years, we’ve represented privately held companies and families of wealth throughout their business life cycles.
Whatever and wherever your industry, Offit Kurman is the better way to protect your business, preserve your family’s wealth, and resolve your most challenging legal conflicts. At Offit Kurman, we distinguish ourselves by the quality and breadth of our legal services—as well as our unique operational structure, which encourages a culture of collaboration and entrepreneurialism. The same approach that makes our firm attractive to legal practitioners also gives clients access to experienced counsel in every area of the law.
Find out why Offit Kurman is The Better Way to protect your business, your assets and your family by connecting via our Blog, Facebook, Twitter, Instagram, YouTube, and LinkedIn pages. You can also sign up to receive LawMatters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
DELAWARE | MARYLAND | NEW JERSEY | NEW YORK | NORTH CAROLINA | PENNSYLVANIA | VIRGINIA | WASHINGTON, DC