NEW YORK (Thomson Reuters Regulatory Intelligence) - The New York Department of Financial Services on Monday responded to the Equifax cyber attack by proposing to extend its ground-breaking data protection rules to credit reporting firms, in an attempt to fill a perceived regulatory gap. The New York regulator also issued a warning to banks on potential risk from the massive data breach and issued guidelines on how to limit damage.
The NYDFS in the new guideline(here) told financial services firms that heightened due diligence will be required after Equifax's breach because “the scope and scale of this cyber attack is unprecedented” and could undermine the reliability of personal identifiers used to issue credit for millions of credit applications.
“Initial reports indicate that hackers may have exploited a website application vulnerability to gain unauthorized access to very sensitive consumer and commercial data, which highlights the fact that financial institutions can no longer just rely on personally identifiable information as a means of verifying a person’s identity,” NYDFS Superintendent Maria Vullo.
The data breach surfaced just a week after the state’s first-in-the-nation cyber rules required the major banks and insurers to comply with rules to create strong internal controls and alert the regulator of any material breaches. Governor Andrew Cuomo proposed rules(here) that extend the agency’s oversight to credit reporting firms for the first time and will mean they must comply with the same cyber security rules that apply to banks and insurers.
New York moved to include the credit reporting firms under its cyber security rules because of their impact on covered banks and insurers. There was uncertainty in the financial services industry about liability in the Equifax breach since the NYDFS cyber security rules required banks and insurers to affirm the integrity of third party vendors.
The state banking regulator requires covered firms to report within 72 hours any material cyber incidents, but there was confusion in the industry about possible liability for cyber attacks hitting third-party providers. Equifax has extensive relationships with the covered banks. The new warning issued this week comes after NYDFS initially affirmed that the cyber security rules that took effect earlier this month did not apply to the Equifax event.
Delays by Equifax in reporting the breach have become a central issue in the incident and the U.S. Justice Department was among a number of state and federal regulators reportedly probing the firm over its alleged withholding of information as top executives sold stock soon after the breach was discovered. Equifax shares plunged by one-third after the breach was disclosed months after it took place.
JUSTICE DEPARTMENT PUSHES FIRMS TO TELL ALL ABOUT CYBER ATTACKS
U.S. enforcement agencies have pushed for quicker actions to respond to cyber incidents to contain the fast-moving viral attacks. The Justice Department two years ago launched a rapid-response initiative giving authorities legal powers and streamlining investigative operations to quell contagion. Prosecutors have warned private firms that they must play a role in sharing information to assist in cyber defense programs, although many have been reluctant to go public when their sensitive data is breached.
The New York cyber security rules were the first by any regulator designed for quick reporting of all incidents. The alleged failure of Equifax to report the data breach left clients unaware that hackers could have been using or selling the personally identifiable information in fraudulent schemes, NYDFS said in its new warning. The delays also hindered the ability of Equifax data clients to implement emergency measures.
“The Equifax breach was a wake-up call,” Cuomo said as he announced the plan to regulate the statement, “and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
CHERRY-PICKED STOCK SELECTIONS AND INVESTMENT STRATEGY RECOMMENDATIONS
In addition to proposing the new regulation covering credit reporting firms, the state regulator outlined immediate steps that banks and credit issuers should take to verify client data and limit damage to consumers and financial firms. These include:
— Make certain all available patches and security measures are in place.
— Review due diligence/Know Your Customer processes used in credit applications to understand the source and reliability of the data, and consider using identity verification fraud services to verify the process.
— Confirm the validity and privacy of information on Equifax reports in new credit applications and existing client accounts.
— Create a system of alerting consumers to account breaches and potential loss of data, using such tools such as call centers and “red flags” on accounts to alert internal credit processors and clients about possible risks.
— Implement high-level review for the heightened risk of accounts that extend credit using Equifax data, “taking into consideration the department’s requirements under its cyber security regulation with respect to third party service providers.”
In addition to outlining the immediate steps banks and insurers can take, the state took action to fill the gap in regulation by imposing the same rules on the information providers used by the financial firms.
The credit-reporting firms have generated the most consumer complaints of any finance sub-sector since the Consumer Financial Protection Bureau was given the authority to oversee the industry under the Dodd-Frank Wall Street regulation overhaul.
But regulation of the firms is relatively light, given the size of the credit reporting firms. The industry is dominated by three major players, Expedia, Experian and TransUnion. The firms are regulated most directly by the CFPB, which has taken a number of actions in recent years in response to consumer complaints over account abuses such as faulty data in their credit reports and aggressive sales tactics by the firms. But CFPB shares online oversight with the Federal Trade Commission, and the consumer banking agency has taken only a handful of small cases over data protection lapses and supervision.
The proposed regulation, ordered after Equifax Inc’s breach exposed sensitive data of up to 143 million people, would take effect in February, a statement from Cuomo said. If the companies fail to register, they risk being barred from doing business with financial companies regulated by the state.
Cuomo said credit reporting agencies each year will have to report their officers or directors who are responsible for compliance with laws and regulations involving financial services, banking and insurance. They must also institute robust cyber security measures and intrusion testing and appoint a chief information security officer responsible for the program.
The state would also be able to bar a credit reporting agency from doing business there if it is found to engage in “unfair, deceptive or predatory practices,” the statement said.
“The scope and scale of this cyber attack is unprecedented and DFS is prepared to take all actions necessary to protect New York’s consumers and financial markets,” Vullo said.
The NYDFS superintendent said the guidelines were issued because of “the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax.”
The guidance was given “to ensure that this incident receives the highest level of attention and vigilance at New York’s regulated institutions.”
(Richard Satran is a financial journalist covering daily and emerging issues for Thomson Reuters Regulatory Intelligence.)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Sept. 19. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters