DFS Superintendent Lacewell Announces Cybersecurity Settlement with First Unum and Paul Revere Life Insurance Companies

  • Source: dfs.ny.gov

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On May 13, 2021, The New York State Department of Financial Services (DFS) issued a press release regarding a Cybersecurity Settlement with First Unum (First Unum) and Paul Revere Life Insurance (Paul Revere) Companies.

The press release indicated that the DFS investigation uncovered that First Unum and Paul Revere failed to implement Multi-Factor Authentication (MFA) and fell victim to two phishing attacks that exposed consumers’ personal and private data.

Chief Information Security Officers (CISOs) and their teams need to be ready to demonstrate compliance with cybersecurity regulations and be ready for a thorough look by the regulators at the underlying processes, including decisions around DFS cybersecurity compliance.

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively to comply with DFS’ Cybersecurity regulations and to prepare for upcoming in-depth regulatory exams.

Press Release Highlights:

  • The DFS investigation found that First Unum and Paul Revere had been the subject of two phishing attacks in 2018 and 2019, which involved phishing e-mails designed to harvest employee e-mail account credentials, compromised the email accounts of several employees with access to a significant amount of sensitive and personal data of their customers.
  • First Unum and Paul Revere violated the DFS Cybersecurity Regulation 500.12 by failing to implement Multi-Factor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the CISO. Further, both First Unum and Paul Revere falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018 because MFA was not fully implemented.
  • As part of the settlement, First Unum and Paul Revere agreed to pay a $1.8 million monetary penalty and to implement further improvements to their existing cybersecurity program to ensure that their cybersecurity controls are fully compliant with the Part 500.12 Cybersecurity Regulation.

Firms should revisit compliance with the DFS Cybersecurity Regulation periodically and strongly consider an outside review of their cybersecurity related activities.

Author

Richard Hudson

Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…