National Securities Fails to Report 2018 and 2019 Incidents
In addition to two reported incidents, National Securities Corporation faces a heavy penalty of $3M to answer for failing to disclose two security incidents in 2018 and 2019 to the New York Department of Financial Services (NYDFS). This violates NYDFS Cybersecurity Regulation (NYCRR 500), which provides standards for compliance in the financial industry. Companies are held responsible for security controls, data protection, and reporting data breaches.
Cybersecurity Regulation Violations
The insurer failed to implement multi-factor authentication (MFA) for all users until August 2020 as well as to inform NYDFS of the 2018 and 2019 incidents, which both involved attacks on employees’ Office 365 accounts.
In 2018, hackers were able to breach National Securities Corporation’s CFO’s email account using phishing emails. In 2019, hackers accessed a document management system associated with an employee’s tax software. Considering the company’s failure to implement any temporary CSO-approved cybersecurity measures pending MFA implementation, the insurer is facing the hefty penalty as well as a deadline of 120 days to demonstrate that it has a cybersecurity incident response plan as well as risk assessment procedures in place at the company.
The Company’s Response to the Attacks
National Securities Corporation did take some necessary steps following their 2018 and 2019 attacks. They changed their account credentials, informed potential victims of the breach, provided credit monitoring to the individuals affected, and reported to the Attorney General’s office as well as the IRS, SEC, FBI and County Sheriff’s office. However, failing to report to NYDFS is in violation of the Cybersecurity Regulation, waving a large red flag despite other correct steps taken by the company.
Corporate Efforts to Evade Fines and Penalties
It is tempting for companies to deal with these security breaches and data leaks privately to avoid fines and penalties as well as keep their names from headlines, but state, federal, and even international security departments are cracking down on violations by large corporations and companies who have viewed themselves to be above scrutiny.
Reporting to these entities is necessary for public safety while also acting as an accountability measure for companies who handle customers’ or clients’ sensitive information. Facebook faced similar repercussions earlier this month for a claim that a leak was resolved in 2019 only to result in a mass leak in early April this year.
With new cyberattack tactics and methods on the rise with increasing adaptive qualities, it is inevitable that these large companies will consistently be under attack. For this reason, departments such as the NYDFS have regulations in place to ensure that entities handling personal information have proper security measures in place as well as risk assessment procedures. For example, Geico, another major insurer, reported and issued a statement to their customers in early April as required by California state law. The silver lining among the bureaucratic messes is the spotlight shone on vulnerabilities in companies which, when appropriately addressed, results in more secure online activities for those companies as well as those subscribed to their services.