We had previously predicted that the Equifax data breach could lead to increased state-level cybersecurity enforcement. On June 27, the NYDFS announced that Equifax has agreed to take corrective action for its 2017 data breach, as set forth in a consent order reached with the NYDFS and seven other state banking regulators.  This enforcement action comes quickly after the NYDFS was given authority to regulate credit reporting agencies for cybersecurity.  The order requires Equifax to improve its cybersecurity practices in several areas and includes very specific requirements. More broadly, the order provides a glimpse into what the NYDFS views as sound cybersecurity practices, which may be of interest to NYDFS-regulated entities, as well as companies that purport to be NYDFS cyber-compliant.  The order includes the following requirements:

  • Information Technology:  The Equifax board must review and approve a written risk assessment that identifies (1) foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information; (2) the likelihood of threats; (3) the potential damage to the company’s business operations; and (4) the safeguards and mitigating controls that address each threat and vulnerability.
  • Audit:  To improve the oversight of Equifax’s audit function, the Equifax Audit Committee must oversee the establishment of a formal and documented internal audit program that is capable of effectively evaluating IT controls and that complies with the internal audit charter.
  • Board and Management Oversight: Equifax shall improve the oversight of its Information Security Program.  The board or, if appropriately authorized, the Technology Committee of the board shall:
    • Approve a consolidated written Information Security Program and Information Security Policy and annually thereafter;
    • Review an annual report from management on the adequacy of the company’s Information Security Program;
    • Enhance the level of detail within the Technology Committee and board minutes, or respective meeting package, by documenting relevant internal management reports (i.e., approval of a formal, written information security risk assessment);
    • Review and approve IT and information security policies and ensure they are up-to-date and applicable; and
    • Ensure that the company’s Security Incident Handling Procedure Guide includes up-to-date incident-related procedures and clarifies the roles and relationships of the groups involved in the incident response.
  • Vendor Management:  Equifax must improve oversight and documentation of critical vendors and ensure that sufficient controls are developed to safeguard information.
  • Patch Management:  Equifax must improve standards and controls for supporting the patch management function. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.
  • Information Technology Operations:  Equifax must enhance oversight of IT operations as it relates to disaster recovery and business continuity function.

The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their cybersecurity regulatory obligations.  If you have questions about the Portal, please contact  cyberportal@davispolk.com.