On May 13, 2021, the New York Department of Financial Services (NYDFS) announced a $ 1.8 million settlement with two related insurance companies, related to violations of two different regulatory requirements. NYDFS cybersecurity during the period 2018 to 2019.
NYDFS Cybersecurity Regulation
Readers may recall that the NYDFS cybersecurity regulation went into effect in March 2017. Among its requirements, the regulation states that each financial services licensee must implement multifactor authentication (MFA) or implement “controls of reasonably equivalent or more secure access “which are approved in writing by the holder of the information security (CISO) of the holder. The regulation includes an annual certificate of conformity to be submitted to NYDFS. If a licensee is unable to certify compliance with all applicable requirements, NYDFS has stated that the licensee may not submit a certification (FAQ 33).
This matter began when insurance subsidiary no. 1, licensed by NYDFS, discovered a credential fishing email in September 2018. The email that was intended to belong to affiliate parent company no. 1 contained a link to a fake Microsoft Office 365 (“O365”) login page and was designed to collect employee credentials on the O365 system. The insurer activated its incident response plan and concluded that the threatening plaintiff had obtained credentials from several employees and had access to the client’s non-public personal information between June 1, 2018 and October 20. of 2018. The insurer notified NYDFS on Nov. 30 and provided notice and credit control to those affected. As a complication of the issues, the fishing email also affected No. 2 affiliate, also a NYDFS graduate. Affiliate No. 2 also provided notice and credit control to those affected. Neither affiliate no. 1 nor affiliate no. 2 had not fully implemented multifactor authentication at that time nor, according to the agreement, had any of the affiliates received CISO approval of alternative controls. Both companies certified compliance with cybersecurity regulation in February 2019, but the migration of all employee accounts of the two companies was not completed until August 29, 2019.
The No. 1 affiliate experienced a second fishing incident on October 10, 2019, when a sales executive noticed that his mailbox was sending suspicious emails that he had never written. Affiliate no. 1 investigated and found that the credentials of 15 employees had been compromised between October 1 and October 10, 2019. Affiliate No. 1 notified NYDFS on November 25, 2019. Although MFA had been implemented for affiliate email environment no. 1, a misconfiguration error occurred in a number of whitelisted Internet Protocol (“IP”) addresses, an unauthorized third party was allowed to bypass MFA and access accounts committed.
The order of consent
The two affiliates agreed to pay NYDFS $ 1.8 million as a civil monetary penalty. NYDFS recognized the “commendable cooperation” of the companies and the “continuous efforts to address the shortcomings.” In addition, the companies agreed to continue tightening their controls, including the delivery of the following documentation within 120 days to NYDFS:
- Complete written plan for responding to cybersecurity incidents; i
- Comprehensive cybersecurity risk assessment.
The consent order expressly prohibits both companies from requesting or accepting, “directly or indirectly, reimbursement or compensation in respect of the payment of the amount of the penalty, including, but not limited to, the payment made under any insurance policy “.
Please note that the consent order expressly states that it does not preclude the company from defending any action by any federal or state agency or any private action.