Insurer Settles with NYDFS After Exposing Customer Data
The $3M penalty is the largest published assessment to date for alleged violations of the Cybersecurity Regulation.
Insurers continue to draw the ire of New York's Department of Financial Services.
Just months after dropping the hammer on insurer First American for failing to adhere to its Cybersecurity Regulation, the department, which oversees the state's massive financial industry, announced last week it was settling with another insurer for failing to comply with the regulation.
The Cybersecurity Regulation (NYCRR 500) provides standards for financial industry compliance for companies that do business in the state as far as controls, data protection, and reporting data breaches.
The settlement order – announced April 14 - requires the company, National Securities Corporation, pay a $3 million penalty to New York State. That's double NYDFS' most recent cybersecurity settlement, $1.5M, against a mortgage banker, in March.
Last week's settlement mainly stems from National Securities' failure to properly implement multi-factor authentication and inform NYDFS of two cybersecurity events it experienced in 2018 and 2019. Those incidents aren't the only that affected the company, they're in addition to two events National Securities did disclose to the department.
According to the department, the company, which sells life insurance, accident, and health insurance was compromised on two separate occasions, one in 2018 and one in 2019. Both attacks involved abusing access to employee O365 accounts. In the attacks, hackers managed to penetrate the email account of the company's Chief Financial Officer with a phishing email and in another, access a document management system associated with tax software belonging to an employee.
According to NYDFS, it wasn't until August 2020 that the company had MFA implemented for all users. The company didn't have anything in lieu of MFA, as far as secure access controls, approved by the company Chief Information Security Officer (CISO) either.
The company stopped the bleeding - it changed account credentials, provided credit monitoring to those affected, and informed potential victims. It also reported the incidents to the applicable departments - Attorney General's offices, the IRS, the SEC, FBI, and the local County Sheriff's office. It apparently failed to report either of them to NYDFS however, which goes against 23 NYCRR 500.
National Securities also falsely certified compliance for the calendar year 2018, something which didn’t sit well with the department either.
In addition to having to pay the $3M penalty, National Securities has 120 days to demonstrate that its got a cybersecurity incident response plan and a risk assessment in place. It also needs to show that it has policies, procedures and controls designed to (a) monitor the activity of Authorized Users and (b) detect unauthorized access or use of, or tampering with, NPI by such Authorized Users
As previously mentioned, it's the second settlement NYDFS has announced this year. It fined Residential Mortgage Services (RMS), a mortgage banker, in March for exposing data of loan applicants and neglecting to report a breach to the department.
After starting out slowly following the regulation's launch in 2017, NYDFS is ramping up enforcement.
Organizations that have to comply with the NYDFS must safeguard nonpublic consumer data with the appropriate cybersecurity policies and procedures.