Corporate Directors and Business Executives,
During July 2020, the New York State Department of Financial Services (NYSDFS)
filed its first charges of violations of the NYSDS Cybersecurity Regulation against
First American Title Insurance Company, a Fortune 500 title insurance and
settlement services provider.
According to the NYSDFS statement of charges, a vulnerability on a First American
Title Insurance Company public website exposed more than 850 million
documents containing bank account information, social security numbers, driver’s
license images, and other nonpublic information for more than four years. This
information was available to anyone with a web browser. There were no login or
authentication requirements to access this website.
This vulnerability was introduced via a software update in May 2014 and went
undetected for years.
First American had a penetration test conducted during December 2018, and the
pen testers found this vulnerability. This issue was compounded as this
vulnerability was not fixed for an additional six months until a cybersecurity
journalist reported on the data exposure and possible data breach of hundreds of
millions of these documents dating back to 2003.
The NYSDFS has filed the following six charges against First American Title
Insurance Company (Respondent):
1. Respondent failed to perform risk assessments for data stored or
transmitted within its information systems;
2. Respondent failed to maintain and implement data governance and
classification policies for nonpublic information suitable to its business
model and associated risks.
3. Respondent failed to limit user access privileges to information systems
that provide access to nonpublic information.
4. Respondent’s risk assessment was not sufficient to inform the design of
the cybersecurity program as required by the NYSDFS Cybersecurity
5. Respondent failed to provide regular cybersecurity awareness training for
all personnel and failed to provide updated training to reflect risks identified
during Respondent’s risk assessment.
6. Respondent failed to implement controls, including encryption, to protect
nonpublic information held or transmitted by the Respondent both in transit
over external networks and at rest.
As a corporate director or senior executive responsible for the organization’s
enterprise-wide cybersecurity risk, what questions should you be asking to ensure
your organization is compliant with the NYSDFS cybersecurity regulations?
Here are some Board and Executive-level questions to consider for your next
discussion regarding your organization’s enterprise-wide cybersecurity program:
1. Is the organization an NYSDFS covered entity, and if so, is the organization
complying with all the NYSDFS cybersecurity requirements?
2. Has an independent review of the latest penetration test executive reports
and their findings been conducted and provided to executive management
and/or the board? What follow up actions have been identified and require follow up by executive management and/or the board to ensure the best
cybersecurity posture for the organization?
3. Has the organization secured its enterprise web infrastructure, and how has
this been independently verified?
4. Has the organization identified and continuously secured its most sensitive
data in transit and at rest across the entire enterprise? How has this been
5. Is the organization providing regularly scheduled cybersecurity awareness
training to all its employees and additional cybersecurity training to the
organization’s cybersecurity professionals? How has this been
If you have not read the NYSDFS statement, I would recommend taking a few
minutes to read this document.