DFS Superintendent Lacewell Announces Cybersecurity Settlement with Licensed Insurance Company

  • Source: dfs.ny.gov

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On April 14, 2021 – The New York State Department of Financial Services (DFS) issued a Press Release regarding a Cybersecurity Settlement with a Licensed Insurance Company.

DFS’ investigation uncovered that the licensed insurance company (company) failed to implement Multi-Factor Authentication (MFA), falling victim to four (4) cyber breaches that exposed its customers’ private data.

Chief Information Security Officers (CISOs) and their teams need to be ready to demonstrate compliance with cybersecurity regulations and be ready for a thorough look by the regulators at the underlying processes, including decisions around DFS cybersecurity compliance.

Press Release Letter Highlights:

  • The company will pay a $3 million penalty to New York State for violations of DFS’ Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers.
  • DFS’ investigation uncovered evidence that the company had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the DFS as mandated by the Cybersecurity Regulation.
  • The cyber breaches involved the unauthorized access of the email accounts of the company’s employees and independent contractors, who have access to a significant amount of sensitive personal data of the company’s customers.
  • The company failed to implement MFA and did not implemented reasonably equivalent or more secure access controls approved in writing by the company’s (CISO).
  • The company falsely certified compliance with the DFS cybersecurity regulations for the calendar year 2018, due to the fact that MFA was not fully implemented.

Firms who have not taken their cybersecurity controls seriously including cybersecurity regulatory compliance should begin to revisit this process immediately and strongly consider an outside review of their cybersecurity activities.

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively to comply with DFS’ Cybersecurity regulations and to prepare for upcoming in-depth regulatory exams.