First American Title Insurance Company
New York
In July 2020, the New York Department of Financial Services (NYDFS) brought its first enforcement action under its landmark cybersecurity regulation (23 NYCRR 500, effective 2017 with full certification required by June 2020) via a Statement of Charges against First American Title Insurance Co. The action was triggered by a massive data exposure vulnerability that left hundreds of millions of documents containing sensitive personal information accessible online. While First American is not a bank or fintech, this action established NYDFS's willingness to enforce its cybersecurity rules aggressively, which has direct relevance for BaaS banks and fintechs operating under NYDFS supervision. The case set a precedent for how NYDFS evaluates cybersecurity controls at regulated financial institutions.
Verified from source: The New York State Department of Financial Services issued a Statement of Charges against First American Title Insurance Company for multiple violations of the DFS Part 500 Cybersecurity Regulation, including failure to perform adequate risk assessment, maintain proper access controls, provide adequate security training, and encrypt nonpublic information. This was the first cybersecurity enforcement action brought by DFS under its regulations.
- Established NYDFS as an aggressive enforcer of cybersecurity standards applicable to banks and financial services firms in BaaS
- BaaS banks and fintechs chartered or licensed in New York must ensure robust cyber controls to avoid similar enforcement
- Signaled that third-party data handling and vulnerability management are regulatory priorities