The Superintendent for the New York Department of Financial Services recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500.
The regulations apply to a “covered entity,” defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
In this case, a phishing attack likely allowed unauthorized access to six years’ worth of consumers’ non-public information. According to DFS, the company failed to:
- implement multi-factor authentication (§ 500.12);
- limit user access privileges (§ 500.07);
- implement sufficient data retention and disposal processes (§ 500.13); and
- conduct an adequate risk assessment (§ 500.09).
In addition to the monetary penalty, the company is required conduct a comprehensive risk assessment, to include: a) reasonably necessary changes to address material issues identified in the assessment; b) plans for revisions of controls to respond to technological developments and evolving threats; and c) plans for updating or creating additional written policies and procedures.
To its credit, the company’s “commendable cooperation throughout [the] investigation” was acknowledged by DFS as well as its “ongoing and completed efforts to remediate the shortcomings identified in this Consent Order.” This is contained in the “Monetary Penalty” section of the Consent Order, so presumably this favorable conduct had a positive impact on the amount of the penalty.
PROPOSED AMENDMENTS TO CYBERSECURITY REGULATIONS
- The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. Furthermore, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation;
- Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;
- Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;
- Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and
- Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.
DFS is accepting public comment on the proposed amendments through Jan. 9, 2023.