The New York Department of Financial Services (“NYDFS”) recently entered into a consent order with two life insurance companies as a result of alleged violations of New York’s Cybersecurity Regulation. The NYDFS determined that the companies had been the subject of phishing attacks in both 2018 and 2019, which compromised employee email accounts and thereby provided unauthorized access to customers’ sensitive and personal data. As a result, the NYDFS alleged that the companies violated the NY Cybersecurity Regulation:
- by failing to implement MultiFactor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls;
- By falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented; and
- By exposing non-public personal data as a result of the data breaches.
As part of the settlement, the companies agreed to: (1) pay a $1.8 million penalty to the State of New York; (2) conduct a cybersecurity risk assessment and submit the assessment results to the NYDFS; and (3) retain an independent third party to conduct an audit of the companies’ MFA controls and to have the results of those audits submitted to the NYDFS.
The NY Cybersecurity Regulation became effective in March 2017 and requires insurance companies to implement and maintain a cybersecurity program designed to protect the confidentiality and integrity of their information systems as well as any consumer non-public information. This regulation was the basis for the National Association of Insurance Commissioner’s Insurance Data Security Model Law, which has now been adopted in Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, and Virginia.