The New York Department of Financial Services (“NYDFS”) recently announced that it has entered into a consent order with two affiliated life insurers for alleged violations of the New York Cyber ââSecurity Rules (the “Cyber ââSecurity Rules”). from New York “). The NYDFS investigated and determined that the two life insurers (the âCompaniesâ) were the subject of two phishing attacks in 2018 and 2019, which compromised the email accounts of several employees of the Companies, with access to a large amount. sensitive and personal data of their customers. NYDFS said its investigation found companies violated NY cybersecurity regulations by failing to implement multi-factor authentication (“MFA”) without implementing reasonably equivalent or more secure access controls. approved in writing by the companies. Additionally, the NYDFS alleged that the companies falsely certified compliance with New York’s cybersecurity regulations in 2018 because the MFA was not fully implemented. The NYDFS also alleged that the two data breaches resulted in the exposure of a great deal of non-public personal data belonging to the clients of the companies.
Under the consent order, the companies agreed to: (1) pay a fine of $ 1.8 million to New York State; (2) complete a cybersecurity risk assessment within 120 days of the effective date of the consent order and submit the results of the assessment to the NYDFS; and (3) have an independent third party audit performed of the current MFA controls and submit the results to the NYDFS within 120 days of the effective date of the consent order to ensure that cybersecurity programs of companies are fully compliant with NY cybersecurity regulations.
The NY Cybersecurity Regulation came into effect in March 2017 and has served as a model for other states, as well as for the National Association of Insurance Commissioner’s Insurance Data Security (âModel Security Lawâ) model law. applies to insurers, insurance agents, third party administrators and other entities licensed by state insurance departments. The Model Security Law requires insurance entities to establish and maintain a cybersecurity program designed to protect the confidentiality and integrity of their information systems, as well as any non-public consumer information. In addition, the Model Security Law requires that covered entities (1) annually certify compliance with the Model Security Law, (2) have a written incident response plan, (3) develop and maintain a comprehensive written security program based on the entity’s risk assessment; and (4) conduct risk management and assessment activities, including employee training and updating of network systems.
Model Safety Act or related legislation has been adopted in the following states: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, North Carolina South, Tennessee and Virginia.