NYDFS to covered entities: "Take your annual certifications seriously"

Last month the New York Department of Financial Services announced a $1.8 million settlement with First Unum Life Insurance Company of America (First Unum) and Paul Revere Life Insurance Company (Paul Revere) for violations of 23 NYCRR Part 500, the cybersecurity regulation applicable to financial institutions regulated by the Department.  

The consent order is about the failure to implement multi-factor authorization (MFA), at this point, companies should all realize the importance of this (and you should also activate it on your personal email accounts).  But there is another critical lesson here: take your annual certifications seriously.  

First Unum was the subject of multiple successful phishing attacks that led to successful account takeovers of various O365 email accounts:

-  The first of the two attacks, impacting both First Unum and Paul Revere, was discovered in September 2018 and reported to the Department just over a month later. 

- The second attack occurred over a year later, in October 2019, and was also reported to the Department.  First Unum and Paul Revere share the same cybersecurity program rolling up to one CISO.  

MFA was only partially implemented within the 0365 email environment at the time of the first incident.  But First Unum certified compliance with Part 500.  At the time of the second incident, MFA had been implemented, but a misconfiguration error allowed a broader range of IP addresses to bypass MFA than had been intended. Again, First Unum certified compliance with Part 500.  As a result of the incidents, First Unum and Paul Revere were fined $1.8 million and subject to numerous remediation requirements such as conducting a comprehensive cybersecurity risk assessment and hiring a third-party to audit its MFA implementation.

You may say to yourself, taking some time to implement MFA and a mistake in MFA configuration does not sound unreasonable.  Many folks at large organizations would agree with you.  Maybe the Department would as well.  What the Department will not tolerate, however, is what it views as a false certification. 

This consent order is a clear signal that the Department wants to be able to rely on the annual certification as an effective incentive for organizations to either effectively implement required controls or to otherwise document actual plans to close any material gaps.  Here, First Unum and Paul Revere had submitted certifications covering the relevant periods which assert full compliance with Part 500.  

However, in light of the companies’ failure to implement MFA (or failure to follow the regulation’s guidance on exceptions to the MFA requirement), they should have declined to file the annual certification and memorialized their plans for compliance.  Instead, they had to call a regulator in to examine two breaches that may have been avoided or successfully mitigated based on controls that, according to their annual certifications, had already been fully implemented.

Here is the lesson: Part 500 requires a certification completed after a risk assessment.  And it requires an update to the Board and senior management about the cyber program.  This is a big deal that should take days of work, not hours.  

Whether you agree or disagree with that approach, the bottom line is that if your organization is subject to the Department’s jurisdiction, you need to ensure that your organization’s annual certifications are accurate, that your process for assessing your cybersecurity program for purposes of the certification is fulsome and well documented, and that your organization utilizes sufficient time and resources to assess its compliance effectively.  

Even though this year’s certification deadline has passed, you never know when you may have to report a new cybersecurity event to the Department and what that incident says about the accuracy of your last certification.  Don’t let MFA act as a red herring.  

There are plenty of requirements in the Part 500 Cybersecurity regulation that can be difficult to implement, so taking this consent order as simply a call to take another look at your MFA implementation would be a mistake.  Instead, understand the process the Department wants its covered entities to undergo and embrace it.