On May 13, 2021, the New York Department of Financial Services (NYDFS) announced a $1.8 million settlement with two related insurance companies, relating to violations of two different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2019.
NYDFS Cybersecurity Regulation
Readers may recall that NYDFS’ cybersecurity regulation went into effect in March of 2017. Among its requirements, the regulation states that each financial services licensee must implement multi-factor authentication (MFA) or else implement “reasonably equivalent or more secure access controls” that are approved in writing by the licensee’s Chief Information Security Officer (CISO). The regulation includes an annual certification of compliance, to be filed with NYDFS. If a licensee is unable to certify compliance with all applicable requirements, NYDFS has stated that the licensee may not submit a certification (FAQ 33).
This matter began when insurance affiliate #1, licensed by NYDFS, discovered a phishing email in September of 2018. The email purported to be from affiliate #1’s parent company contained a link to a fake Microsoft Office 365 (“O365”) login page and was designed to harvest employee credentials to the O365 system. The insurer activated its incident response plan and concluded that the threat actor had obtained credentials from several employees and had access to customer non-public personal information between June 1, 2018 and October 20, 2018. The insurer notified NYDFS on November 30, and provided notice and credit monitoring to the affected individuals. Complicating matters, the phishing email also affected affiliate #2, also a NYDFS licensee. Affiliate #2 also provided notice and credit monitoring to affected individuals. Neither affiliate #1 nor affiliate #2 had fully implemented multi-factor authentication at the time nor, according to the settlement, had either affiliate received CISO approval of alternate controls. Both companies certified compliance with the cybersecurity regulation in February of 2019, but the migration of all employee accounts for both companies was not completed until August 29, 2019.
Affiliate #1 experienced a second phishing incident on October 10, 2019, when a sales executive noticed his emailbox was sending suspicious emails that he had never written. Affiliate #1 investigated and found that 15 employees’ credentials had been compromised between October 1, and October 10, 2019. Affiliate #1 notified NYDFS on November 25, 2019. Although MFA had been implemented for affiliate #1’s email environment, a misconfiguration error in a range of whitelisted Internet Protocol (“IP”) addresses allowed an unauthorized third-party to bypass MFA and gain access to the compromised accounts.
The Consent Order
The two affiliates agreed to pay NYDFS $1.8 million as a civil monetary penalty. NYDFS acknowledged the companies’ “commendable cooperation” and “ongoing efforts to remediate the shortcomings.” In addition, the companies agreed to continue to strengthen their controls, including delivering the following documentation within 120 days to NYDFS:
- Comprehensive written cybersecurity incident response plan; and
- Comprehensive cybersecurity risk assessment.
The consent order expressly prohibits both companies from seeking or accepting, “directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including but not limited to, payment made pursuant to any insurance policy.”
Note that the consent order expressly provides that it does not prevent the company from using any defense to any action by any federal or state agency or any private action.