Title Insurance Company is Target of First Ever Cybersecurity Enforcement Action by NYDFS

The New York Department of Financial Services (NYDFS) recently issued charges under 23 NYCRR Part 500, the State’s cybersecurity requirements for financial services firms. These requirements went into effect in 2017, but these are the first charges to be filed by the NYDFS. The NYDFS statement of charges alleges that, First American Financial Corporation (NYSE: FAF and parent company of First American Title) violated six requirements of the cyber regulation. The charges relate to an incident disclosed by popular security blogger Brian Krebs in a posting in 2019.

An online repository used by First American containing as many as 880 million documents (many with sensitive non-public personal information) was accessible to any internet user due to a flaw in the repository’s security design. The repository is used to support the closing process for real estate transactions. First American is the second largest provider of title insurance in the United States.

The charges go on to allege that the security flaw in the online document repository was first discovered in December 2018 through an internal penetration test of the repository system conducted by the company, but wasn’t addressed until after Krebs exposed the issue in May 2019. According to NYDFS, the security vulnerability was introduced by an update to the online repository in October 2014 – meaning that the vulnerability was present for a total of more than 4 ½ years and at least six months after management was notified that this vulnerability existed. The statement of charges describe several failures by First American in this incident such as:

• Failure of the change management process
• Failure to understand that the system housed sensitive personal information
• Failure to follow its own policies and procedures with respect to the identification and remediation of vulnerabilities
• Failures to properly identify and categorize risks

According to a more recent posting by Brian Krebs, First American strongly disputed NYDFS’ charges and said their own internal investigation in the summer of 2019 determined that only a small number of consumers were affected and none from the State of New York. A hearing is set for October 28, 2020.

This development is interesting on multiple fronts:

• This is the first enforcement action taken since the NYDFS cybersecurity requirements went into effect in 2017, so the results of this investigation and the charges being levied will set a precedent for how future cases are handled.
• It is unclear how NYDFS will attempt to apply the fines that are described in the NYCRR Part 500 regulation. According to Reuters, “Penalties could be significant, because the regulator considers each instance of exposed personal information a separate violation, with a maximum $1,000 penalty.”
• This is a major case involving the title insurance industry, whose systems and processes to address cyber threats are less mature than other aspects of the financial services industry. Based on the nature of their business, title insurers have vast amounts of personal information relating to buyers and sellers that could lead to identity theft, spear phishing and other forms of fraud if the data is not properly secured.
• The investigation performed by NYDFS appears to be rather extensive, involving reviews of internal documents of First American, communications between various members of management and interviews of key personnel. The investigation has undoubtedly taken up significant internal resources for First American. Certainly more information about the depth (and quality) of NYDFS’ investigation will be revealed once hearings proceed in October.

Key takeaways for companies and security professionals are as follows:

• Financial services companies who may be “covered entities” under NYCRR Part 500 should pay attention to the precedent being set in this case.
• Title insurers should evaluate the maturity of their cybersecurity practices, recognizing that regulatory trends require increased data privacy and security protections, so lax security will not be tolerated by officials given the vast quantities of personal information that they maintain. The American Land Title Association (ALTA) has cybersecurity resources that title companies may find to be of use.
• In a post-incident investigation being conducted by a regulator, cyber and IT professionals should recognize that it looks bad to have documented policies and procedures in place relating to cybersecurity, including risk assessment, vulnerability management, and remediation timeline requirements, but not follow them. Organizations should consider reviewing the design and effectiveness of their cyber program on a regular basis, whether through qualified internal resources or through the use of external professionals.

If you have an interest or concern regarding cybersecurity practices, Weaver is equipped to advise organizations on these matters. Please reach out to us if we can be of assistance to your organization.

 

© 2020