On February 16, 2021, the New York Department of Financial Services (“NYDFS”) issued a Cyber Fraud Alert (the “Alert”) to regulated entities in light of a growing campaign to steal Nonpublic Information (“NPI”), as defined under New York law, from public-facing websites that provide instant quotes for products like auto insurance (“Instant Quote Websites”). The NYDFS learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver’s license numbers. NYDFS attributes the growing threat activity, in part, to heightened fraud during the COVID-19 pandemic. As we previously reported, NYDFS issued guidance regarding cybersecurity during the pandemic in April 2020.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The Alert (1) calls for all regulated entities with public-facing websites to immediately remediate any security flaws; (2) reminds regulated entities to report Cybersecurity Events as promptly as possible and within 72 hours at the latest pursuant to New York cybersecurity requirements for financial services companies; and (3) asks that attempted thefts of NPI from public-facing sites promptly be reported to NYDFS.

The Alert contains additional information on detecting data theft and states that all regulated entities that use Instant Quote Websites immediately should review (1) data analytics and website traffic metrics for spikes of quote requests and (2) server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.

Lastly, the Alert provides recommendations to secure data, noting that (1) regulated entities should review whether it is necessary to display any NPI (even redacted NPI) and (2) NPI should not be displayed on public-facing sites unless there is a compelling reason to do so. NYDFS’ recommended steps for entities maintaining public-facing sites displaying or transmitting NPI include:

  • Conducting a thorough review of security controls, including SSL, TLS, HSTS and HTML configurations;
  • Verifying and, if possible, limiting access that users have to manipulate website content using web developer tools;
  • Confirming that data redaction and obfuscation solutions for NPI are properly implemented;
  • Ensuring that privacy protections are up-to-date and adequately protect NPI by reviewing who is authorized to view it;
  • Searching and scrubbing public code repositories for proprietary code; and
  • Blocking the IP addresses of suspected unauthorized users and considering quote limits per user session.

By admin