NY DFS Nails Insurance Firms on Cyber Fails
Regulators in New York have fined eight auto insurance businesses for poor cybersecurity practices that led to widespread privacy breaches in 2021. It’s our latest example of what cybersecurity risk looks like in the modern era, with numerous points that IT auditors and privacy compliance professionals can ponder.
The New York Department of Financial Services announced the enforcement action earlier this week. The biggest names caught in the crackdown were The Hartford (fined $3 million), Farmers (fined $2.78 million) and Liberty Mutual (fined $2.7 million), plus five smaller firms that also do business in New York. DFS imposed $19.1 million in fines in total, and required all eight firms to implement corrective action plans so their security control failures don’t happen again.
So what did happen? As described in the DFS settlement orders, the firms fell victim to hackers that were targeting insurance firms in late 2020 and early 2021. Specifically, the hackers exploited the online price quote services that the firms offered to consumers; where the attackers provided some personal data to the tool, which duped it into providing more personal data along with the quote.
The attacks happened as follows. First, the hackers would enter a partial amount of personal data into the price quoting tool, such as the person’s name, birth date, and address. That would trigger the tool to pull more data from a third-party data provider the insurance firm used, which would return a price quote along with all that other data — such as the person’s driver license number or the personal data of other drivers in the supposed customer’s household.
At this point you might wonder: Didn’t those price quote tools somehow redact the personal data they returned, such as only displaying the last few digits of the driver license number? Yes, the tools generally did obscure the data in the display shown on a user’s screen; but the tools also sent the full, unredacted data in the source code of that page shown on the screen.
So if you knew how to extract the source code (which the hackers did), you could obtain all that personal data anyway.
Those poor security controls constituted a violation of New York’s Cybersecurity Rule for financial firms, and here we are.
Security Control Concerns
Two issues immediately come to mind here.
First, these cases are a reminder that personal data must be kept encrypted and hidden from prying eyes at all times, including when that data is being passed from one internal system to another. When IT auditors are assessing the risks of business processes (such as providing a customized price quote to an individual person), they should be tracking where confidential data is flowing throughout that entire process.
As the settlement order against Farmers succinctly put it: “Farmers’ design of the [price quote tool], which allowed for unredacted and unprotected personal information to be sent to and stored in the source code of the application, reflected a failure to use effective controls to prevent unauthorized access.”
The real risk isn’t just where your confidential data is kept, and whether it’s encrypted or redacted while at rest. It’s also how your various business applications use that data, and pass it around from one IT application to another within your larger IT environment. You need to keep the data secure and unavailable to outsiders while the data is in transit, too.
The second issue is one of third-party risk. It seems that all eight firms used the same tool to gather personal data for those online price quotes. (Either that, or the firms miraculously happened to use different tools that all worked in the same way and all fell victim to the same attack at the same time.)
The lesson here is that when multiple businesses use the same tech vendor for the same service, you all have an identical point of failure — which the hackers know, and will therefore target that vendor-dependent process so they can reap maximum benefit for least effort.
This threat isn’t new. On the contrary, financial regulators have worried about the cybersecurity risks posed by tech vendors at least since 2017. This week’s DFS enforcement just reminds us that the threat of industry reliance on a few vendors is real. IT audit teams need to keep it in mind and let it guide your risk assessment and remediation plans.
Responsivity to Regulators
The other interesting dimension to this enforcement sweep is that DFS expressly warned insurance firms that they were being targeted by hackers looking to exploit the online price quote process. The department published a bulletin to insurance firms on Jan. 28, 2021, explaining the details and warning firms to “immediately review customer-facing website security” and “report cybersecurity events … as promptly as possible and within 72 hours at the latest.”
The eight firms swung into action; and all eight firms detected the problematic activity soon enough. (One telltale sign: a spike in incomplete price quote transactions, indicating that the hackers had found the personal data they wanted and then stopped interacting with the tool.)
Farmers and another firm, Infinity Insurance Co., however, failed to report their cyber intrusions within the 72-hour window required by DFS regulations. So that was another lapse on their part, in addition to the poor internal security controls that allowed the breach to happen in the first place. (Farmers, for example, received the January bulletin from DFS, discovered the attackers by Feb. 1, remediated the problem by Feb. 5 — and then didn’t report the incident to DFS until March 19.)
That’s a failure of process rather than internal control: the firms needed a proven, tested way to report cyber intrusions to the proper regulator once the intrusion is detected. That would be true at any time, and even more so when the regulator expressly tells you what incident to watch for and how quickly you should report it. Ouch.
Anyway, if this story of hackers exploiting online price quote tools sounds familiar, that’s because DFS previously sanctioned two other insurance firms last year for the same offenses. Now we have eight more firms swept up in the same cybersecurity blunders, which makes me wonder whether we’re at the end of this DFS enforcement sweep. Perhaps not.