The Superintendent for the New York Department of Financial Services (DFS) recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500.
The regulations apply to a "covered entity," defined as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law."
In this case, a phishing attack likely allowed unauthorized access to six years' worth of consumers' non-public information. According to DFS, the company failed to:
- implement multi-factor authentication (§ 500.12);
- limit user access privileges (§ 500.07);
- implement sufficient data retention and disposal processes (§ 500.13); and
- conduct an adequate risk assessment (§ 500.09).
In addition to the monetary penalty, the company is required conduct a comprehensive risk assessment, to include: a) reasonably necessary changes to address material issues identified in the assessment; b) plans for revisions of controls to respond to technological developments and evolving threats; and c) plans for updating or creating additional written policies and procedures.
To its credit, the company's "commendable cooperation throughout [the] investigation" was acknowledged by DFS as well as its "ongoing and completed efforts to remediate the shortcomings identified in this Consent Order." This is contained in the "Monetary Penalty" section of the Consent Order, so presumably this favorable conduct had a positive impact on the amount of the penalty.
PROPOSED AMENDMENTS TO CYBERSECURITY REGULATIONS
DFS recently announced proposed amendments to its Cybersecurity Regulations that, if implemented, would require:
The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. Furthermore, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation;
Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;
Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;
Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and
Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.
DFS is accepting public comment on the proposed amendments through Jan. 9, 2023.
Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751
Mobile: (312) 493-0874
Admitted to practice law in Illinois
Alabama | California | Florida | Illinois | Massachusetts | New Jersey | New York | Ohio | Pennsylvania | Tennessee | Texas | Washington, DC
NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.
Our updates and webinar presentations are available on the internet, in searchable format, at:
Financial Services Law Updates
The Consumer Financial Services Blog™