Lessons from the First American Financial Corporation Breach

On July 21, 2020, the New York State Department of Financial Services (NYDFS) issued charges against First American Financial Corporation, a California based company, which provides title insurance and settlement services to the real estate and mortgage industries. According to the Statement of Charges and Notice of Hearing published by NYDFS, the company committed violations of six (6) sections of the Department’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) also known as NYDFS Part 500.

You might be thinking, well that law doesn’t apply to me so why should I study this breach? Let’s look closer at the requirements of NYDFS Part 500 and see if they are similar to your institution’s requirements.

1. Part 500.02- This section requires the institution to have a cybersecurity program meeting the following objectives:

• Designed to protect the confidentiality, integrity and availability of the entity’s information systems,Part 500.02- This section requires the institution to have a cybersecurity program meeting the following objectives:
• Based on the entity’s risk assessment,
• Designed to identify and assess risks to NPI (Non-Public Information),
• Implementing defensive infrastructure, policies and procedures to protect the entity’s information systems and NPI from unauthorized access or malicious acts,
• Detect, Respond, Recover Cybersecurity Events, and
• Fulfill applicable regulatory requirements.

• Data governance and classification,
• Asset inventory and device management,
• Access controls and identity management,
• Business continuity and disaster recovery,
• Customer data privacy, and
• Vendor Management

3. Part 500.07- This section requires the institution to limit user access privileges to NPI and periodically review these privileges.

4. Part 500.09- This section requires a periodic risk assessment which is documented and updated as reasonably necessary as changes occur in the institution’s environment.

5. Part 500.14- This section requires controls to monitor the activity of authorized users and to detect unauthorized use of NPI. Additionally, training for all personnel, which reflects the institution’s risks.

6. Part 500.15- This section requires encryption of NPI or documentation of the equivalent controls in place, which shall be reviewed and approved by the institution’s CISO.

These might be sounding pretty familiar to those requirements of GLBA because they essentially are the same. GLBA requires a program, policy, risk assessment, training, and limiting access to consumer information just to name a few of the similarities.

All of the parts outlined above are listed in the charges where the company allegedly failed to protect NPI in more than 850 million documents stored in its document imaging system from exposure via links that were alleged to be discoverable via internet search engines.

Here are the key lessons to take home to your information security program from the charges proposed by NYDFS:

1. Know where customer data (NPI) is stored, transmitted and processed. Failure to understand your environment will result in a failure to identify the risks and implement proper controls to protect customer data. Network and data flow diagrams are a great way to ensure this is understood. These should be reviewed and contributed to by employees across the institution to be sure the full picture is understood. This is the true root cause to this breach when you boil it down, however other factors contributed and are outlined below.
   
   
2. Do your due diligence on risks identified and reported. The vulnerability which ultimately lead to this breach was identified in a penetration test. This risk was underestimated, rated as a medium vs. high, due to the underestimation of customer data in the system. While the company did look at documents in the system to inform this risk, this was not a representative sample (1,000 of more than 850 million) and while NPI was found it was underestimated. As a result, several recommendations for a fix were provided by internal cybersecurity experts however did not result in action by the company. Six months later, the vulnerability was again brought to the company’s attention by an unassociated third party, security blogger Brian Krebs, leading to discovery and reporting of the breach.
   
   
3. Educate your users on what constitutes regulated information and the proper protections. In this case, employees were loading customer information into the document imagining system which did not have the proper controls to protect this information. The data classification process should have highlighted this, however failed to do so. Employees are the closest to the systems and processes and should be educated and involved in data classification and control implementation.

If you need help to ensure your security program is meeting your institutions risks, please reach out to us at support@bedelsecurity.com.