Department of Financial Services Seeks Breach Discovery and Response Details
The financial regulator in New York state has reportedly subpoenaed credit-reporting agency Equifax in the wake of it disclosing a massive breach that affected 143 million U.S. consumers.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The subpoena, sent to Equifax on Sept. 14 by the New York’s Department of Financial Services, demands additional details about the breach, including when the company discovered the intrusion and how it responded, amongst other information, according to Reuters, which first reported the news of the subpoena.
Officials at DFS and Equifax could not be immediately reached for comment.
Data exposed in the Equifax breach, which affected 8 million New Yorkers, included names, Social Security numbers, birthdates, addresses, and in some cases also drivers’ license numbers.
Following Equifax’s Sept. 7 public breach notification, on Sept. 18, DFS detailed recommendations for all chartered and licensed financial institutions in New York state, especially for organizations that work with Equifax data.
Recommendations included ensuring that all firms’ software is running the latest patches, laying on additional call center staff to handle increased queries from consumers whose accounts or identities might have been stolen using information exposed in the Equifax breach, as well as including extra checks to ensure that information contained in Equifax credit reports is accurate, since the integrity of the data could have been compromised by attackers.
“Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York’s regulated institutions,” Maria T. Vullo, the state’s financial services superintendent, said in a statement.
This year, New York became the first state to pass its own cybersecurity regulation covering the financial services sector, much of which took effect March 1 (see Gauging the Impact of New York’s New Cyber Rules).
Since Aug. 28, meanwhile, “banks, insurance companies, and other financial services institutions regulated by DFS are required to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry,” according to DFS.
In addition, all covered entities must report “cybersecurity events” to DFS via an online cybersecurity portal, or else file a notice of exemption in the small number of types of cases in which this might apply.
Any organization that violates the DFS cybersecurity rules can be prohibited from doing any business in New York or with the state’s consumers.
New York Governor Andrew M. Cuomo has proposed that all credit-reporting bureaus – including Equifax, Experian and TransUnion – be made to comply with the DFS cybersecurity regulations.
If Equifax had been covered by those regulations, it would have been forced to notify state regulators within 72 hours of having discovered its breach, rather than waiting 40 days to issue a public breach notification (see Data Breach Notifications: What’s Optimal Timing?).
Equifax says it was breached after it failed to patch a known vulnerability in its Apache Struts web platform in March, which attackers subsequently exploited.
The breach is now the focus of a criminal investigation by the FBI.
In addition, Equifax is facing investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission, hearings on Capital Hill and inquiries and investigations from regulators in Britain and Canada, whose consumers were also affected by the breach. The company is also facing consumer lawsuits in the United States and Canada, and actions by financial services firms whose customers’ payment card details were exposed (see Credit Union Sues Equifax Over Breach-Related Fraud Costs).
Following the “retirement” of the company’s CIO and CSO, on Tuesday Equifax CEO Richard Smith likewise “retired” and was succeeded by Paulino do Rego Barros, Jr. – who most recently served as president of Asia Pacific for Equifax – as interim CEO. Equifax says Smith will forego his severance package and 2017 bonus, and assist the company for up to 90 days. Smith, who in 2016 received a pay package of nearly $15 million, and who holds stock in the company currently valued at $29 million, has deferred any additional payments and compensation that he’s due until after the Equifax board concludes its cybersecurity investigation, a spokeswoman told Information Security Media Group (see After Mega-Breach at Equifax, CEO Richard Smith Is Out).
Information security experts say it will take more than Smith’s resignation to fix endemic data security and privacy problems in the credit-reporting sector.
“Smith is taking the fall for the whole broken industry,” says William Hugh Murray, an executive consultant and trainer in information assurance.
“He is rightfully criticized for the poor response but he was limited by what he could do without breaking the business model of the industry,” Murray adds. “Imagine granting the damaged subjects free access to their own data when the industry has an entire line of business that relies on the right to make money off of people whose identity has been put at risk.”
For all organizations, meanwhile, Chris Pierson, chief security officer and general counsel for payment services firm Viewpost, says that the Equifax breach is a reminder that the board of directors is ultimately responsible for all information security matters and creating and fostering a strong cybersecurity culture.
“Cybersecurity is a board-level matter; it must be about enabling the business and understanding and mitigating risk, and about trust and goodwill,” he tells ISMG. “If the current technology professionals are unable to have a seat at the business table, then companies must find the business and risk person who is a cybersecurity expert and give them the seat at the table.
Big Breach Trifecta
Equifax is just one of a trifecta of big breaches that have come to light in recent weeks.
Others include Deloitte, which this week revealed that its Microsoft Azure cloud service had been hacked, apparently in March, and that 5 million internal emails may have been exposed. Some of the exposed emails stored by the “big four” accounting firm may have also contained attachments with sensitive or security-related details.
Another organization that recently issued a data breach notification was known other than the U.S. Securities and Exchange Commission, which oversees how public companies issue their own breach notifications, and which says its EDGAR document-filing system got hacked in May 2016.
But the agency only disclosed the breach last week, noting that stolen, non-public data obtained by attackers “may have provided the basis for illicit gain through trading.”
On Tuesday, SEC Chairman Jay Clayton, who took office in May, appeared before the Senate banking committee, where he issued a mea culpa, vowing that the agency would sharpen its own information security practices.
At the hearing, Clayton was asked directly about the Equifax breach, but he declined to address it directly. He did, however, call on public firms to better disclose any and all cyber risks they face (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms).
“We expect people to constantly assess,” Clayton testified. “When they have notice of a cyber breach we expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly.”
Current SEC rules require companies to report cyber risks and breaches, but only if they pose material risks to investors. Individual companies get to determine what constitutes a material risk. And as Sen. Mark Warner, D-Virginia, noted during the hearing, many businesses appeared to be reaching nonsensical conclusions, such as Yahoo, which had not disclosed to the SEC a breach that exposed 500 million users’ records.
Warner also cited a study showing that since the year 2000, fewer than 100 out of 9,000 companies studied had ever had a breach that they believed was material.
“I find that absolutely unacceptable,” Warner said.