Strategies

Cybersecurity Compliance Failures in Financial Services

Examining three breach and compliance failure cases under the New York Department of Financial Services’ 23 NYCRR Part 500 cybersecurity regulation.
June 30, 2021
4 min. read

Headlines about breaches and compliance penalties give us a strong idea of what we do not want for our security programs. Of the breaches in 2020, the financial sector had the highest percentage at 17 percent, as noted in the 2021 Application Protection Report. With breaches, come regulator attention. In 2017, New York’s Department of Financial Services (NYDFS) enacted 23 NYCRR Part 500 regulations, calling out explicit cybersecurity requirements for financial services firms. Since then, three financial services organization that were breached have faced sobering consequences for failing to meet the NYDFS law. This article looks at each of them in detail.

Business Email Compromise via Phishing Unreported

On March 5, 2019, a Residential Mortgage Services employee received an email apparently from a business partner. It was phishing email that duped them into revealing their password on a malicious website. Luckily, the email system was protected by multifactor authentication (MFA). Unfortunately, the employee granted approval to a prompt for MFA authorization four times in row, even though it was after hours. The next day, upon receiving a fifth MFA prompt, the employee alerted IT. An investigation concluded that the email account was indeed compromised, but the impact was limited and the matter closed.

On March 30, 2020, during an NYDFS assessment that included a review of this incident, examiners found that Residential Mortgage Services failed to perform breach notification, even though the affected email account contained sensitive customer financial data. They also found that Residential Mortgage did not have a comprehensive documented cybersecurity risk assessment.1

Residential Mortgage Services was fined $1.5 million.

Key Lessons

Severe Web Exploit Went Unpatched for Years

In October 2014, First American Title rolled out a new version of EaglePro, a web-based document delivery system that employees and partners use to access real estate title documents. Some of these documents contain customer data such as bank account numbers, mortgage details, tax records, Social Security numbers, and driver’s license images.

In December 2018, First American Title conducted a penetration test against EaglePro. The test discovered that by manipulating the URL line, authentication could be bypassed. Furthermore, this vulnerability was so easily exploited that search engine indexing had already accessed over 5,000 documents.

The vulnerability remained unpatched due to a series of operational glitches, including assigning the fix to a new employee with little security experience, accidentally lowering the priority from medium to low, and not sharing the test report with the remediation owner.

In May 2019, journalist Brian Krebs reported the vulnerability after hearing from a concerned customer who discovered it by accident.2 During the ensuing NYDFS investigation, the chief information security officer (CISO) “disavowed ownership” of the issue, stating that such controls were not the responsibility of the security department.3 Furthermore, NYDFS regulations also require encryption for documents containing sensitive financial information. Since the vulnerability was first introduced, it was estimated that tens of millions of records had been exposed.

First American Title settled with the U.S. Securities and Exchange Commission (SEC) for $487,616.4 The NYDFS judgment has not yet been determined.

Key Lessons

Multiple Phishing Breaches, Partial MFA

National Securities Insurance suffered four major phishing breaches between 2018 and 2020. In April 2018, its CFO’s Office 365 email account was discovered to be forwarding to an external account. IT determined that the CFO had clicked on a phishing email that exposed sensitive customer information. The breach was reported to the individuals involved and the appropriate state attorneys general offices but not NYDFS.

In March 2019, National Securities discovered unauthorized access to its tax software document management system. The attack was found to originate from a phishing attack on an employee’s Office 365 email account. All potentially impacted customers were notified, as well as the IRS, the SEC, the FBI, the local county sheriff’s office, but not NYDFS.

In September 2019, an unverified change to an employee’s direct deposit account triggered an investigation that discovered that the employee’s email had been compromised through phishing. All potentially impacted individuals were contacted.

In April 2020, an independent contractor reported a suspicious transfer of funds in the amount of $200,000. An investigation uncovered more illicit transfers due to a phishing attack on the contractor’s Office 365 email account. All potentially impacted individuals were contacted.

An NYDFS review revealed that MFA for email had not been fully rolled out. All National Securities corporate employees’ email accounts had been migrated to Google Suite with MFA, but not all the contractors’ accounts. Furthermore, the review showed that National Securities had more than 60 third-party applications with sensitive customer information, but not all with MFA.5

National Securities was subject to a judgment of $3 million.

Key Lessons

The Future

As the headlines continue to fill with breaches, legislators will layer on more security regulations. While 2020 saw a lot of breaches, we should expect more in 2021. And when those happen, victims and regulators will look for negligence. Make sure your security program is robust and can stand up to judgment.

Authors & Contributors
Raymond Pompon (Author)
Footnotes

1https://www.dfs.ny.gov/industry_guidance/enforcement_discipline/ea20210303_residential_mortgage

2https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/

3https://www.dfs.ny.gov/industry_guidance/enforcement_discipline/ea20200721_first_american_statement_notice

4https://krebsonsecurity.com/2021/06/first-american-financial-pays-farcical-500k-fine/

5https://www.dfs.ny.gov/industry_guidance/enforcement_discipline/ea20210412_national_securities_corp

Read More from F5 Labs

2024 DDoS Attack Trends
DDoS
2024 DDoS Attack Trends
07/16/2024 report 30 min. read
Continued Intense Scanning From One IP in Lithuania
Sensor Intel Series
Continued Intense Scanning From One IP in Lithuania
10/21/2024 article 5 min. read
Three Ways AI Can Hack the U.S. Election
Generative AI
Three Ways AI Can Hack the U.S. Election
10/27/2024 article 10 min. read