Financial regulators in the state of New York just served up quite the example of cybersecurity enforcement, with a $5 million fine slapped against Carnival Corp. for failing to report several cybersecurity breaches in a timely manner and failing to implement required technical controls that would’ve reduced the odds of those attacks in the first place.
The settlement, announced by the New York Department of Financial Services last Friday, is an excellent study in how New York enforces its cybersecurity rules, formally known as 23 NYCRR Part 500. The settlement order provides numerous, specific details about where Carnival went wrong, and from there we can reverse-engineer broader lessons so other companies can avoid a similar fate.
What happened? In brief, Carnival suffered four cybersecurity breaches from 2019 into 2021 — but failed to disclose those incidents to the Department of Financial Services (DFS) within required deadlines, because Carnival’s incident response plan didn’t include the DFS notification requirement. Carnival had also failed to implement two-factor authentication on certain IT systems, which gave attackers a much easier time breaking into Carnival’s systems. (Carnival, a cruise company headquartered in Florida, was subject to New York DFS rules because it sold travel insurance in the state.)
Those two issues alone make this an instructive case, because Carnival had both policy failures (a flawed incident response plan) and technical failures (lack of two-factor authentication). They demonstrate how cybersecurity compliance can be such a tricky thing: you need expertise in both policy management and IT controls, which are very different things and often operate in silos independent of each other — and yet, to achieve compliance, the organization somehow needs to coordinate them both.
If you can’t achieve that coordination, you’re certifying compliance with Part 500 when that might not be the case. Then the DFS can drop the hammer on you, which is what happened here.
The Allegations Against Carnival
As spelled out in the DFS settlement order, Carnival suffered its first cybersecurity breach in spring 2019. IT security teams were alerted in May of that year that one company email account was sending spam messages to other company email accounts. When they investigated, the Carnival security team found that from April to July of 2019, attackers had gained access to more than 120 Carnival corporate email accounts. With that access, the attackers launched phishing attacks and swiped the private information of hundreds of New York residents — primarily names, addresses, passport or driver’s license numbers, and a few instances of banking information as well.
Important point here: Carnival hosted its email services on Office365, Microsoft’s cloud-based software platform. At the time of the breach in 2019, one of Carnival’s subsidiaries hadn’t yet finished rolling out multi-factor authentication (MFA) on its Office365 environment — even though Part 500’s MFA requirement had been effective since March 1, 2018.
Part 500 requires multi-factor authentication (where you need both a user ID and password and another credential, such as a one-time code sent to your cell phone) for any persons accessing a corporate network from an external network. MFA is a crucial security control to thwart attackers.
It’s not clear that Carnival’s failure to implement MFA across its whole enterprise directly led to the 2019 attack, but Carnival had been certifying compliance with Part 500 when it hadn’t met the MFA requirement.
Plus, as we noted earlier, Carnival’s incident response plan omitted a step to notify New York DFS officials within 72 hours of determining that a breach had happened. Carnival didn’t alert DFS until April 2020, nearly a full year after Carnival’s IT security folks knew they had an issue.
Carnival then suffered another cybersecurity breach in 2020 (ransomware attack) and two more in 2021 (ransomware and phishing attack). The company did report those breaches to DFS more promptly, but, DFS said, “Given the occurrence of four cybersecurity events, with at least some being the result of successful phishing attacks, all within a period of less than four years, demonstrates that the Carnival Companies’ training was inadequate.”
Because of all those issues, DFS said, Carnival’s certifications of compliance for 2018, 2019, and 2020 were invalid. (Even though the certifications themselves were filed in a timely manner.)
The most important lesson here is that CISOs need to be on their game with compliance; that’s it.
Typically that will mean using some sort of GRC tool to help with the task, because complying with so many different cybersecurity regulations is nearly impossible with spreadsheets. Whatever tool you decide to use, it will need to…
- Map out what controls are necessary for various cybersecurity rules;
- Identify which controls you don’t yet have in place, so you’ll know the work you need to do;
- Track your company’s progress on that work, so you know when you’ve implemented all necessary controls and can certify compliance with confidence rather than a wing and a prayer.
This is also another opportunity for us to plug the benefits of control mapping, since many cybersecurity regulations require the same basic controls — meaning, one control can satisfy multiple compliance obligations. That’s very much the case with multi-factor authentication; it’s required by New York’s Part 500, and strongly encouraged by the Biden Administration’s cybersecurity order from last year. (CISA, the country’s top cybersecurity regulator, issued another reminder on MFA earlier this year, that it’s critical to ward off attacks that might be sponsored by Russia.)
We could call out specific controls, such as implementing MFA or testing employees on their cybersecurity training or confirming that your breach notification clauses are accurate; a company does need to have all that in order. The true issue, however, is your ability to assure that those controls are in place.
Building that capability is what CISOs need to do, to keep boards and regulators happy.