The exposure originated from a document-management system which allowed anyone to view files without authentication or other security requirements and measures. NYSDFS actually noted six exceptions which First American had violated from the NYSDFS Part 500 cybersecurity regulations that were released in March 2017. In this particular case, the institution could potentially face a major penalty of up to $1,000 for each instance of exposed personal information.
In total, there is a set of 17 regulations within Part 500 (for additional information, refer to the complete list of regulations from the NYSDFS website), which include a plethora of requirements for banks and financial institutions, that require an adequate cybersecurity program, regular risk assessments, penetration testing and vulnerability assessments, access to customer information, etc. There are exemptions from these requirements, as noted below, but in the case with First American Financial, which is a leading provider of title insurance and settlement services with a revenue of $6.2 billion as of 2019, as well as many other financial institutions, exemptions from these requirements do not apply.
Exceptions from the Part 500 requirements include the following:
Part 500 Requirements and What Your Institution Can Do To Remain Prepared
Part 500 includes best practices to properly secure and implement an adequate cybersecurity program and protect customer information for any organization. However, if your bank or financial institution is not exempt from the regulations, it is especially important to continue to improve your organization’s overall cybersecurity posture through the inclusion of the following rules set forth by the NYSDFS in order to mitigate risk, avoid NYSDFS penalties, and provide a necessary level of security:
It’s common to think that what happened to First American Financial will never happen to your financial institution, but as the rate of institutions suffering from cyber-attacks continues to grow year after year, it is important to remain prepared to mitigate any possible risk of a cybersecurity breach. Let’s not forget about the accompanying negative publicity and government fines and penalties. In the future, there will likely be additional requirements pertaining to information security rolled out, so stay ahead of the game to prepare your institution and avoid becoming the next First American.
Emerging Banking Issues
Banking Blog - By Our Subject Matter Experts
acxell Banking Blogs is dedicated to providing an informative and fresh look at matters that affect the banking and financial industry, including the direction of risk, compliance matters, audit, and more.
Questions? Suggestions? Comments?
Email us at OnCourse@acxellrms.com