NYDFS Issues Report on Twitter Hack
Background on the Cybersecurity Regulation
The Cybersecurity Regulation went into effect on March 1, 2017, with a two-year transitional period that ended March 1, 2019 with the compliance deadline for third-party risk management. The Cybersecurity Regulation applies to New York-chartered or licensed financial institutions, such as credit unions, insurance firms, and mortgage companies, as well as the third-party service providers with which the regulated entities work.
As described in its Introduction, the Cybersecurity Regulation follows a risk-based approach that requires a regulated entity “to assess its specific risk profile and design a program that addresses its risks in a robust fashion,” including:
- Written cybersecurity policy
- Qualified individual responsible for overseeing and implementing the cybersecurity program
- Periodic employee training
- Limitations on access privileges
- Multi-factor authentication
- Penetration testing and vulnerability assessments
- Application security
- Data minimization
- Written policy for assessing and monitoring the security of third-party service providers
The Cybersecurity Regulation also requires a regulated entity to report a material cybersecurity event within 72 hours after the regulated entity’s determination that it occurred.
On July 22, 2020, the NYDFS announced that it had filed a Statement of Charges against First American Title Insurance Company (“First American”), the NYDFS’ first enforcement action under the Cybersecurity Regulation. The Statement of Charges alleges that First American exposed more than 850 million documents containing consumers’ sensitive personal information due to a known vulnerability on a public-facing website that made customer information “available to anyone with a web browser.” In the six months following “discovery of the [vulnerability], [First American] failed to correct the vulnerability even though hundreds of millions of documents were exposed” because First American “failed to follow its own cybersecurity policies”; “failed to heed advice proffered by its own in-house cybersecurity experts”; and “remediation was ineffectively assigned to an unqualified employee,” among other alleged deficiencies.
As compared to the general reasonableness standard incorporated into many state data security laws, the Cybersecurity Regulation is relatively prescriptive. Nonetheless, the NYDFS considers (as per the Twitter Report) the Cybersecurity Regulation as “carefully designed to be flexible enough to apply to the thousands of companies regulated by the Department, from global corporations to small businesses.” This flexibility also created some ambiguity about the NYDFS’ compliance expectations, which the Twitter Report and First American charges help to address.
The Twitter Report
The Twitter Hack targeted NYDFS’ regulated cryptocurrency exchanges and their customers. An impetus for releasing the Twitter Report arose from the NYDFS’ concern that the history of cybersecurity attacks on social media platforms creates risks to the “stability and integrity of elections, financial markets, and national security,” especially since social media platforms now have such a prominent role in global communications.
According to the “Facts of the Hack” section of the Twitter Report, the hack occurred during a 24-hour period during which the hacker (1) launched social engineering attacks to gain access to Twitter’s network, (2) gained control of accounts with desirable handles and sold access to them, and (3) hijacked several high-profile Twitter accounts (including Presidential Candidate Joe Biden, former President Obama and Elon Musk) and used them to convince people into sending bitcoin to the hacker. (On July 31st, The New York Times reported that the alleged mastermind of the Twitter hack was a 17-year-old recent high school graduate from Florida. He was aided by a 19-year-old UK resident and a 22-year-old Floridian.)
Twitter’s vulnerability to social engineering, together with the new cybersecurity issues created by Twitter’s shift to “Work From Home” and gaps in Twitter’s cybersecurity leadership, helped set the fraudsters up for success, according to the NYDFS. Specifically:
- NYDFS noted that: “[t]he Twitter Hack started on the afternoon of July 14, 2020, when one or more Hackers called several Twitter employees and claimed to be calling from the Help Desk in Twitter’s IT department. The Hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network.”
- NYDFS called out Twitter’s CISO vacancy for the seven months preceding the hack and weak internal controls:
“The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols….Strong leadership is especially needed in 2020, when the COVID-19 pandemic has created a host of new challenges for IT and cybersecurity. Like many organizations, in March Twitter transitioned to remote working due to the pandemic. This transition made Twitter more vulnerable to a cyberattack and compounded existing weaknesses.”
Twitter Report readers also were reminded that, in April 2020, the NYDFS issued guidance under the Cybersecurity Regulation that identified “several areas of heightened cybersecurity risk” arising from the COVID-19 pandemic. The NYDFS called out Twitter for failing to implement “any significant compensating controls after March 2020 to mitigate this heightened risk to its remote workforce.”
The Twitter Report concludes by reiterating many of the same issues identified in the April 2020 guidance, including:
(1) increased need for cybersecurity risk detection and mitigation for:
- remote access, such as use of multi-factor authentication and secure VPN connections that will encrypt all data in transit;
- devices, particularly due to increased use of personal devices, including “locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software, such as endpoint detection & response and mobile device management.”;
- video and audio-conferencing applications, including configuring them to limit unauthorized access and make sure that employees are given guidance on how to use them securely; and
- data loss prevention, including from unauthorized personal accounts and applications, the use of which increased while employees adapted to working from home.
(2) training and other risk management strategies to address the increase in online fraud and phishing attempts related to COVID-19.
(3) evaluation of critical vendors and whether and how they are adequately addressing the new pandemic-related risks.
Although the Cybersecurity Regulation does not apply to many businesses, the NYDFS is viewed as an influential regulator. For example, the National Association of Insurance Commissioners’ Insurance Data Security Model Law is closely aligned with the Cybersecurity Regulation (see, e.g., Drafting Note to Section 2), which means other enforcement authorities may look to the Twitter Report for ideas about directions for their own enforcement. The Twitter Report also could offer clues about enforcement activity by the New York Attorney General under the ‘sister’ New York law known as the Stop Hacks and Improve Electronic Data (SHIELD) Act (effective March 21, 2020), which does apply broadly to any business that owns or licenses computerized data about a New York resident. Perhaps most importantly, the Twitter Report is another reminder for all businesses about the critical need for ongoing risk assessment and monitoring of cybersecurity practices and procedures in relation to their current operating environments and the quantity and sensitivity of information processed.
- Related Practices