NY Department of Financial Services Issues Cyber Fraud Alert to Regulated Entities Using Instant Quote Websites
On February 16, 2021, the New York Department of Financial Services (“NYDFS”) issued a Cyber Fraud Alert (the “Alert”) to regulated entities in light of a growing campaign to steal Nonpublic Information (“NPI”), as defined under New York law, from public-facing websites that provide instant quotes for products like auto insurance (“Instant Quote Websites”). The NYDFS learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver’s license numbers. NYDFS attributes the growing threat activity, in part, to heightened fraud during the COVID-19 pandemic. As we previously reported, NYDFS issued guidance regarding cybersecurity during the pandemic in April 2020.
The Alert (1) calls for all regulated entities with public-facing websites to immediately remediate any security flaws; (2) reminds regulated entities to report Cybersecurity Events as promptly as possible and within 72 hours at the latest pursuant to New York cybersecurity requirements for financial services companies; and (3) asks that attempted thefts of NPI from public-facing sites promptly be reported to NYDFS.
The Alert contains additional information on detecting data theft and states that all regulated entities that use Instant Quote Websites immediately should review (1) data analytics and website traffic metrics for spikes of quote requests and (2) server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.
Lastly, the Alert provides recommendations to secure data, noting that (1) regulated entities should review whether it is necessary to display any NPI (even redacted NPI) and (2) NPI should not be displayed on public-facing sites unless there is a compelling reason to do so. NYDFS’ recommended steps for entities maintaining public-facing sites displaying or transmitting NPI include:
Conducting a thorough review of security controls, including SSL, TLS, HSTS and HTML configurations;
Verifying and, if possible, limiting access that users have to manipulate website content using web developer tools;
Confirming that data redaction and obfuscation solutions for NPI are properly implemented;
Ensuring that privacy protections are up-to-date and adequately protect NPI by reviewing who is authorized to view it;
Searching and scrubbing public code repositories for proprietary code; and
Blocking the IP addresses of suspected unauthorized users and considering quote limits per user session.