Financial Services Superintendent Maria T. Vullo today announced that the Department of Financial Services (DFS) has issued guidance to urge New York State chartered and licensed financial institutions to take immediate action and consider precautions to protect consumers in light of the cybersecurity attack at Equifax that compromised the personal information of millions of Americans.  The information accessed by hackers includes names, Social Security Numbers, birth dates, addresses, and, in some cases, drivers’ license numbers. The guidance issued today supports DFS’s first-in-the-nation cybersecurity regulation, which went into effect earlier this year, and requires banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

“The scope and scale of this cyberattack is unprecedented and DFS is prepared to take all actions necessary to protect New York’s consumers and financial markets,” Superintendent Vullo said.  “Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York’s regulated institutions.”

Initial reports indicate that hackers may have exploited a website application vulnerability to gain unauthorized access to very sensitive consumer and commercial data, which highlights the fact that financial institutions can no longer just rely on personally identifiable information (PII) as a means of verifying a person’s identity.  PII is being bought and sold as a result of events such as this latest incident, which increasingly necessitates consideration of Multi-Factor Authentication and Risk-Based Authentication techniques, as encouraged under the DFS’s cybersecurity regulation.

DFS is asking all New York State chartered and licensed financial institutions to consider the following:

• Ensure that all information technology and information security patches have been installed;
• Ensure that appropriate ID theft and fraud prevention programs are in place and followed for customer due diligence/Know Your Customer (“KYC”) purposes and before an account is opened, or a credit card is issued, or any loan or other form of financing is approved, whether for new applicants or existing clients, and, if appropriate, consider using an identity verification/fraud service for identity verification;
• Confirm the validity of information contained in Equifax credit reports (if they receive them) before relying on them for provision of products and services to new applicants, as well as existing clients, as they may have been compromised given the cyberattack;
• If appropriate, consider a customer call center for customers to call in and inform the institution if their information has been hacked, in which case, consider coding the customer account with a “red flag” to contact the customer at a pre-designated contact number or e-mail address prior to opening an account, issuing a credit card, providing a loan or any other form of financing or other services and products, or making any changes to existing accounts; and
• If the institution provides consumer or commercial related account and debt information to Equifax under any arrangement with Equifax, ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data in light of this cyberattack, taking into consideration the Department’s requirements under its cybersecurity regulation with respect to third party service providers.

DFS’s cybersecurity regulation requires banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

A copy of the guidance can for depository and nondepository institutions can be found here.

A copy of the guidance for insurance institutions can be found here.

###