The New York Department of Financial Services (DFS) has issued guidance urging New York State chartered and licensed financial institutions to take immediate action and consider precautions to protect consumers in light of the recent cybersecurity attack at Equifax. The information accessed by hackers includes names, Social Security numbers, birth dates, addresses, and, in some cases, drivers’ license numbers. The guidance supports the DFS’s first-in-the-nation cybersecurity regulation (23 NYCRR 500), which went into effect on March 1, 2017, and requires banks, insurance companies, and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
"The scope and scale of this cyber attack is unprecedented and DFS is prepared to take all actions necessary to protect New York’s consumers and financial markets," DFS Superintendent Maria T. Vullo said. "Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York’s regulated institutions."
The DFS is asking all New York State chartered and licensed financial institutions to consider the following:
- ensure that all information technology and information security patches have been installed;
- ensure that appropriate ID theft and fraud prevention programs are in place;
- confirm the validity of information contained in Equifax credit reports before relying on them;
- if appropriate, consider a customer call center for customers to call in and inform the institution if their information has been hacked; and
- if the institution provides consumer or commercial related account and debt information to Equifax, ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data.
