New York’s Department of Financial Services is cracking down Equifax.
One day after announcing that additional regulations would be coming for credit agencies, NYDFS lowered the boom on Equifax in response to its massive 2017 security breach, making the credit reporting agency sign a consent order with eight state banking commissioners in which it promised to undertake risk assessment and receive board oversight on its information security program, audit, information technology operations and vendor management, among other things.
“DFS continues to take aggressive action in holding Equifax Inc. accountable for the massive data breach that exposed the sensitive and private information of millions of Americans,” NYFDS Superintendent Maria Vullo said in a statement.
New York is not happy about the Equifax breach …like at all… and it is leading the charge on increased oversight for credit reporting agencies. Seven other states’ banking oversight departments joined New York in holding Equifax to the regulatory flames. All told, New York, Alabama, California, Georgia, Maine, Massachusetts, North Carolinaand Texas joined in on the consent order.
“In an era of weakened federal government oversight, strong state regulation is essential in order to safeguard our markets, ensure strong consumer protections and hold regulated entities accountable for their actions. New York will continue to lead in supporting a robust state financial services regulatory regime. New York will also continue in its efforts to obtain relief for consumers who were harmed by the Equifax breach,” Vullo added.
Part of this regulatory push will result in the first-ever state mandated cybersecurity standard. NYDFS will oversee its implementation beginning Nov. 1, 2018.
According to NYDFS, today’s consent order mandates the corrective actions below, all of which Equifax must report its progress on to the eight state banking entities:
Information Technology: The Equifax board must review and approve a written risk assessment that identifies foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information; the likelihood of threats; the potential damage to the company’s business operations; and the safeguards and mitigating controls that address each threat and vulnerability.
Audit: The Equifax board or Audit Committee must improve the oversight of the audit function. Accordingly, the Audit Committee must oversee the establishment of a formal and documented internal audit program that is capable of effectively evaluating IT controls and that complies with the internal audit charter.
Board and Management Oversight: The company shall improve the oversight of the Information Security Program. Accordingly, the board or, if appropriately authorized, the Technology Committee of the board shall: Approve a consolidated written Information Security Program and Information Security Policy and annually thereafter; review an annual report from management on the adequacy of the company’s Information Security Program; enhance the level of detail within the Technology Committee and board minutes, or respective meeting package, by documenting relevant internal management reports (i.e., approval of a formal, written information security risk assessment); review and approve IT and information security policies and ensure they are up-to-date and applicable; and ensure that the company’s Security Incident Handling Procedure Guide includes up-to-date incident-related procedures and clarifies the roles and relationships of the groups involved in the incident response.
Vendor Management: The company must improve oversight and documentation of critical vendors and ensure that sufficient controls are developed to safeguard information.
Patch Management: The company must improve standards and controls for supporting the patch management function. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.
Information Technology Operations: The company must enhance oversight of IT operations as it relates to disaster recovery and business continuity function.