On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations.
The settlement, one of a few just beginning to be released after the 2017 implementation of the Cybersecurity Regulation, 23 NYRR § 500, provides insurers and other companies a window into how DFS interprets and enforces this regulation.
DFS regulates a range of entities involved in the finance and insurance fields. National Securities sells life insurance, accident and health insurance, and variable life/variable annuities insurance, and in doing so collects private data in the course of its day-to-day operations. In four separate data breaches that occurred between 2018 and 2020, a “substantial” amount of sensitive, non-public customer information (“NPI”) in National Securities’ possession was compromised. National Securities failed to report two of these breaches, as required by the Cybersecurity Regulation, 23 NYCRR § 500.17(a). The DFS settlement calls for the company to pay a $3 million penalty to New York State for these violations.
The settlement first discussed two incidents which the insurance company did report: the first took place from September 13-18, 2019, and resulted in unauthorized access to an employee’s Microsoft Office email account, potentially impacting the NPI of certain customers. At that time, National Securities did not have multifactor authentication (“MFA”) in place for internal email accounts, in violation of Section 500.12(b) of the Cybersecurity Regulation. The second incident, which occurred from March 23 to April 30, 2020, resulted in unauthorized transfers of data and information from customer accounts, as well as potential exposure of customer NPI in National Securities’ possession. The language of the settlement suggests that both of these data incidents were likely the result of phishing schemes.
As DFS investigated National Securities in relation to the first two incidents, it discovered two other cybersecurity events that occurred in 2018, both of which were unreported by National Securities in violation of 23 NYCRR § 500.17(a). Customers’ NPI was potentially exposed in one of these incidents, and according to the settlement, the cause of both incidents was a phishing attack.
The Consent Order highlighted National Securities’ lack of MFA as a major failure. It noted that National Securities uses more than 60 third-party applications that contained the NPI of National Securities’ consumers and/or employees or have
access to National Securities’ internal network, one of which still remained without an MFA as of the date of the Consent Order. The Order noted that although National Securities had the ability to institute access controls over these third-party applications, it had failed to do so.
The Consent Order also cited National Securities for certifying its compliance with the Cybersecurity Regulation for the 2018 calendar year when in fact it was not in compliance due to the failings detected by DFS.
In addition to the monetary penalty, the settlement mandates a number of remediation steps to be taken by National Securities, including preparation of a Cybersecurity Incident Response Plan consistent with 23 NYCRR § 500.16, and a Cybersecurity Risk Assessment of information systems consistent with 23 NYCRR § 500.09. Notably, the Consent Order also mandates that National Securities submit training and monitoring materials to the DFS within 120 days of the date of the Order, including its most recent cybersecurity awareness training for all personnel, updated to reflect the risks identified by National Securities in its Cybersecurity Risk Assessment.
This settlement underscores the continuing risks associated with human error and phishing schemes, and reinforces the need to implement MFA and tools to help detect and prevent phishing attacks. The Consent Order is also notable for its emphasis not just on MFA and other system-wide protections and audits, but also on human training as an essential component of any cybersecurity regime. Other regulated entities should take heed of the fact that in addition to imposing a substantial financial penalty, DFS is equally (if not more) interested in protecting the safety of consumer data and mandating the effective implementation of robust cybersecurity systems and practices.