NYDFS Warns of Growing Cyber Campaign to Steal NPI and Reminds Entities of Part 500 Reporting Obligations

On February 16, 2021, the New York State Department of Financial Services (NYDFS) issued an Industry Letter regarding cyber fraud risk (the Alert) that details a comprehensive cybercrime campaign targeting consumers' nonpublic information (NPI) displayed or transmitted on public-facing websites, particularly those that provide instant online quotes for insurance premiums. Part of an overall surge in benefits fraud since the beginning of the pandemic, this cybercrime campaign is believed to be aimed at diverting COVID-19 relief funds to the campaign's perpetrators.

The Alert comes approximately two weeks after NYDFS released the United States' first Cyber Insurance Risk Framework, and nearly six months after NYDFS's first enforcement action under New York's Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500). Under those requirements, financial services institutions that are subject to NYDFS jurisdiction must, among other things, implement various cyber safeguards as well as monitor and promptly report cybersecurity incidents. These Part 500 requirements have helped the NYDFS gather critical information on widespread cybercrime campaigns and to issue industry guidance, such as the Alert.

NYDFS first learned of this cybercrime campaign in late December 2020 and early January 2021 after receiving reports from two auto insurers, who described perpetrators' attempts to steal consumer NPI from their websites offering instant automobile insurance premium quotes. By typing in any valid name, date of birth, and address into the required fields, these websites automatically display an estimated insurance premium quote as well as redacted consumer NPI, including a driver's license number. The perpetrators then obtained the unredacted driver's license number using sophisticated methods, some of which are described in the Alert, and abandoned the quote. After NYDFS gave notice of this scheme to about a dozen regulated entities maintaining auto quote websites, six more insurers reported that their websites were also similarly targeted. In at least some cases, NYDFS confirmed that fraudulent claims for pandemic and unemployment benefits were submitted using the stolen NPI.

The Alert urges all regulated entities, especially those with websites that provide such "instant quotes" using consumers' NPI, to immediately review their websites for evidence of hacking. The Alert reminds NYDFS-regulated entities of their obligation under Part 500 to report cybersecurity events as promptly as possible (within 72 hours at the latest), and urges them to remediate any security flaws immediately and to review whether it is necessary to display redacted NPI to users at all. In addition to putting regulated entities on notice, the Alert may indicate NYDFS's intent to investigate regulated entities that it perceives as failing to implement sufficient safeguards to protect themselves and their consumers from this type of malicious scheme (or as otherwise failing to meet their obligations under Part 500). In any event, regulated entities should use this Alert as a reason to conduct additional diligence into the sufficiency of safeguards and of internal procedures on NYDFS reporting.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.