October 24, 2021

Volume XI, Number 297

Advertisement
Advertisement

October 22, 2021

Subscribe to Latest Legal News and Analysis

October 21, 2021

Subscribe to Latest Legal News and Analysis

New York Cracks Down on Cybersecurity Compliance

In 2021, the New York Department of Financial Services (NYDFS) is cracking down on companies that fail to comply with the Cybersecurity Regulations set forth in 23 NYCRR Part 500 by imposing millions of dollars in civil penalties. On June 8, 2021, NYDFS issued a series of frequently asked questions (FAQs) to provide guidance with respect to the Cybersecurity Regulations, which impose stringent requirements designed to protect information systems and nonpublic information stored on those systems. On June 30, 2021, NYDFS issued Ransomware Guidance on steps companies should take to prevent or mitigate the risk of a ransomware attack. In addition, NYDFS has encouraged cyber insurers to adopt a Cyber Insurance Risk Framework to measure and manage cyber risk and exposure due to the unprecedented rise and growing losses associated with cyber threats and systemic risk.

Part I. NYDFS Cybersecurity Regulations

Effective March 17, 2017, the NYDFS promulgated 23 NYCRR Part 500, setting forth comprehensive cybersecurity compliance requirements for all DFS-licensed Covered Entities that operate under New York Banking, Insurance or Financial Services laws. The Regulations were intended to “promote the protection of customer information as well as the information technology systems of regulated entities” in light of the growing threat of cybersecurity risks. Subject to limited exemptions, the Regulations required Covered Entities to implement an enterprise-wide Cybersecurity Program, policies and procedures to address and mitigate this risk.

On June 8, 2021, NYDFS issued guidance in the form of FAQs to address questions concerning compliance with the 23 NYCRR Part 500 Cybersecurity Regulations.

Entities Subject to NYDFS Cybersecurity Requirements

The Regulations apply generally to Covered Entities, which are defined to include organizations operating under a license or registration under the New York Banking Law, Insurance Law or Financial Services Law. The Regulations separately refer to Authorized Users and Third-Party Service Providers (TPSPs) that are authorized to access or use a Covered Entity’s information systems and data.

As recently observed by NYDFS, it is not uncommon for a single entity to wear multiple hats in various capacities. The FAQs cite the example of a DFS-licensed independent insurance agent that works with multiple insurance companies. The insurance agent is a Covered Entity in its own right and has an obligation to establish and maintain a Cybersecurity Program designed to protect the confidentiality, integrity and availability of its information systems and Nonpublic Information (NPI) stored on those systems, including sensitive personal data, health information or proprietary business information.

However, to the extent the insurance agent has access to NPI or information systems maintained by an insurance company, the agent wears the hat of a TPSP while the insurance carrier is the Covered Entity subject to compliance with the Cybersecurity Regulations.

Limited Exemptions to Compliance

The Regulations recognize certain limited exemptions for Covered Entities that may not be required to comply with all of the cybersecurity requirements set forth in 23 NYCRR Part 500.

The exemptions apply to a Covered Entity that satisfies one or more of the following criteria:

  • Has < 10 employees (including independent contractors) in the State of New York

  • Earns < $5 million in gross annual revenue in each of the last three (3) fiscal years from New York business operations

  • Earns < $10 million in year-end total assets.

If an entity claims an exemption, it must file a Notice of Exemption with the Department. Moreover, the Covered Entity must maintain data and documentation supporting the Notice of Exemption for a period of five (5) years.

Cybersecurity Requirements

Importantly, however, an exempt Covered Entity is still required to comply with many of the cybersecurity requirements, including, but not limited to, maintaining a Cybersecurity Program and policies, conducting a Risk Assessment and implementing a TPSP Security Policy, as summarized below.

Cybersecurity Program

23 NYCRR 500.02 requires Covered Entities to maintain a Cybersecurity Program designed to protect the confidentiality, integrity and availability of its Information Systems (IS) and NPI stored on its systems. The Cybersecurity Program should be designed to address the following functions: (1) identify and assess internal and external cybersecurity risks, (2) implement policies and procedures to protect IS and NPI, (3) detect Cybersecurity Events, and (4) recover and restore data after Cybersecurity Events.

Cybersecurity Policies

Pursuant to 23 NYCRR 500.03, each Covered Entity must implement and maintain written policies and procedures for the protection of IS and NPI, as approved by a senior officer or the board of directors.

These policies should address the following issues to the extent applicable:

  • Information security

  • Data governance and classification

  • Asset inventory and device management

  • Access controls and identity management

  • Business continuity and disaster recovery

  • Systems network security and network monitoring

  • Systems and application development and quality assurance

  • Physical security and environmental controls

  • Customer data privacy

  • TPSP management

  • Risk assessment

  • Incident response.

Risk Assessment

23 NYCRR 500.09 states that Covered Entities shall conduct a periodic Risk Assessment of their IS to identify threats to its business operations related to cybersecurity, NPI stored on its systems and the effectiveness of controls to protect this information.

Third-Party Service Provider Security Policy

Pursuant to 23 NYCRR 500.11, a Covered Entity shall implement written policies and procedures designed to ensure security of IS and NPI that are accessible by its TPSPs.

These policies should address the following cybersecurity controls for the TPSP:

  • Identification and risk assessment of the TPSP

  • Minimum cybersecurity practices required to be met by the TPSP

  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of the TPSP

  • Access controls and use of multifactor authentication (MFA) by the TPSP

  • Encryption of NPI in transit and at rest by the TPSP

  • Notice by the TPSP to the Covered Entity of a Cybersecurity Event

  • Representations and warranties by the TPSP related to security of Information Systems and NPI

Notice to NYDFS of Cybersecurity Event

Moreover, no Covered Entities are exempt from providing NYDFS with notice of a Cybersecurity Event, which is defined as “any actor or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”

Pursuant to 23 NYCRR 500.17, a Covered Entity must notify NYDFS within 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following:

  • A Cybersecurity Event for which the Covered Entity is required to notify any (other) regulator

  • A Cybersecurity Event that has a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

As explained in the NYDFS’s recent guidance and FAQs published in June 2021, even “unsuccessful attacks” may be subject to notice:

Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary or nonroutine precautionary steps.

Notice to NYDFS is in addition to any other notification obligations a Covered Entity may have under New York’s data breach notification law or any similar laws.

Certification of Compliance

Pursuant to the regulations, a Covered Entity is required to submit a written statement to NYDFS each year certifying compliance with the requirements of 23 NYCRR 500. The Covered Entity also must maintain supporting documentation for a period of five (5) years for examination by the regulator. As further explained in its recent guidance and FAQs:

The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 as of December 31 of the previous calendar year.

Part 2. Enforcement for Noncompliance with Cybersecurity Regulations

This year, NYDFS has aggressively pursued Covered Entities that fail to comply with the Cybersecurity Regulations, including assessing several millions of dollars in fines and penalties.

For instance, in March 2021, NYDFS imposed a $1.5 million civil penalty on a licensed mortgage banker for failing to notify the regulator of a Cybersecurity Event. In that case, a routine examination by the regulator uncovered evidence that the company had experienced a breach in 2019 involving unauthorized access to an employee’s email account containing large amounts of the sensitive personal data of mortgage loan applicants. The company was found liable for violating the Cybersecurity Regulations in failing to timely report the breach and failing to conduct a comprehensive Cybersecurity Risk Assessment.

In April, NYDFS imposed a $3 million civil penalty on an insurance company based on its failure to implement MFA, failure to timely report two separate Cybersecurity Events and falsely certifying compliance with the Cybersecurity Regulations. In particular, NYDFS found that (1) the company did not implement MFA or any other reasonably secure access controls for its email environment that were approved in writing by the chief information security officer (CISO); (2) certain third-party applications used by the company that accessed its internal network containing consumer NPI did not have MFA fully implemented; (3) the company failed to timely notify NYDFS of two Cybersecurity Events that occurred in April 2018 and March 2019; and (4) the company falsely certified compliance with the Cybersecurity Regulations for 2018.

In May, NYDFS imposed a $1.8 million civil penalty on two life insurance companies based on the failure to implement MFA and falsely certifying compliance with the Cybersecurity Regulations. Specifically, NYDFS found that (1) the companies’ Office 365 email environments did not have MFA fully implemented or other reasonably equivalent or more secure access controls approved by the CISO; (2) a misconfiguration error in the MFA settings exposed a broad set of company IP (internet protocol) addresses to unauthorized third-party access; and (3) the companies falsely certified compliance with the Cybersecurity Regulations.

Part 3. Ransomware Guidance

On June 30, 2021, NYDFS issued Ransomware Guidance, noting that there has been a 300 percent increase in ransomware attacks in 2020, and that threat actors have been engaging in “double extortion,” where they steal and threaten to publish a company’s data before deploying the ransomware. The guidance also highlighted the significant cost of ransomware attacks that has adversely impacted the loss ratios of cyber insurers – increasing from 42 percent between 2015 and 2019 to 73 percent in 2020. NYDFS observed that the amount of ransom demands by threat actors has increased 171 percent from 2019 to 2020 and continues to grow, citing an example of one company that recently paid a $40 million ransom demand. The guidance cautioned that ransom payments merely serve to fuel the rise of ransom attacks by increasingly sophisticated hackers, and that the FBI has recommended against paying ransoms.

The Ransomware Guidance states that “the good news is that most ransomware attacks can be prevented,” and that “criminal[s] are repeatedly using the same handful of techniques.” The guidance highlights specific cybersecurity controls that companies should implement to prevent or mitigate the risk of ransom attacks and other intrusions, as summarized below:

Security Controls

Description

Code Section

Email filtering and employee training

Employee cybersecurity awareness training, including how to spot, avoid and report phishing attempts.

500.14(b)

Vulnerability and patch management

Documented program to identify, track and remediate vulnerabilities on IT systems, including timely security patches and updates.

500.03(g)

 

Periodic penetration testing.

500.05(b)

Multifactor authentication

MFA for remote access to the network and all externally exposed enterprise and third-party applications.

500.12

Privileged accounts

All logins to privileged accounts, remote or internal, should require MFA.

500.03(d) and (g), 500.12

Disable remote desktop protocol (RDP) access

Disable RDP access from the internet whenever possible.
Any such RDP access should be restricted to approved sources and require MFA as well as strong passwords.

500.03(g)

Password management

Privileged user accounts
should require strong, unique passwords.

500.03(d)

Privileged access management

Each user or service account should be given the minimum level of access necessary to perform the job. Privileged accounts should be protected using MFA and strong passwords.

500.03(d), 500.07

Monitoring and response

Companies should implement an endpoint detection and response (EDR) solution, which monitors for suspicious activity.

500.03(h)

Tested and segregated backups

Companies should maintain backups that are segregated from the network and offline. Backups should be tested periodically.

500.03(e), (f), and (n).

Incident Response Plan

Companies should have an Incident Response Plan that explicitly addresses ransomware attacks. The plan should be tested for effectiveness. The testing should include senior management, such as the CEO.

500.16

Part 4. Cybersecurity Insurance Risk Framework

Earlier this year, NYDFS issued a Cyber Insurance Risk Framework (Framework) to aid insurance carriers in effectively managing their cyber insurance risk. The Framework was developed in response to the unprecedented rise in cyber-attacks and resulting impact on the insurance industry. NYDFS observed that the cyber insurance market grew from $3.15 billion in 2019 to more than $20 billion in 2020. A survey conducted by NYDFS revealed that between 2018 and 2019, the number of insurance claims arising from ransomware attacks increased by 180 percent and the average cost of a ransomware claim rose by 150 percent. Meanwhile, the number of ransomware attacks reported to NYDFS doubled in 2020 from the previous year.

Cyber Insurance Risk Strategy

NYDFS observed that “[managing] this growing cyber risk is an urgent challenge for insurers,” particularly in connection with “systemic risk” involving “massive supply chain compromise.” Insurers are advised to adopt a risk-based approach to managing cyber risk pursuant to a formal cyber insurance risk strategy approved by senior management and the board of directors. This strategy should incorporate six (6) key practices outlined in the Framework and summarized below.

Eliminate Exposure to “Silent Cyber”

All insurers should evaluate their exposure to “silent risk” that may unintentionally trigger coverage for cyber harms under non-cyber insurance policies (including Errors & Omissions, General Liability and Products Liability insurance). Insurers can eliminate silent cyber risk by excluding coverage for cyber-related losses.

Evaluate Systemic Third-Party Cyber Risk

NYDFS notes that systemic cyber risk has increased because organizations increasingly rely on third-party vendors such as cloud services and managed service providers. Cyber-attacks on such third parties may result in a catastrophic cyber event for insurers across multiple policies and insureds, resulting in excessive aggregate exposure from a single cybersecurity event. NYDFS encourages insurers to conduct and track “stress test scenarios” across different types of policies and industry sectors.

Evaluate Insureds’ Cybersecurity Controls

As part of the underwriting process, insurers are encouraged to obtain as much information as possible about an organization’s cybersecurity controls, policies and procedures, including, but not limited to, corporate governance, vulnerability management, access controls, encryption, endpoint monitoring, incident response plans, TPSP policies, and external cyber risk evaluations or risk assessments of the organization.

Educate Insureds and Insurance Producers

NYDFS urges cyber insurers to educate their insureds about cybersecurity and reducing the risk of cyber incidents. This may include offering insureds incentives to adopt more robust cybersecurity practices and controls through discounted access to cybersecurity services, assessments and recommendations for improvement. In addition, NYDFS suggests that cyber insurers should educate insurance producers regarding potential cyber exposures as well as the types and scope of available insurance coverage.

Hire Employees with Cybersecurity Expertise

NYDFS strongly recommends that cyber insurers “recruit employees with cybersecurity experience and skills and commit to their training and development” in order to appropriately evaluate cyber risk.

Notice to Law Enforcement

Finally, NYDFS encourages cyber insurers to require their insureds to report cyber incidents to law enforcement, such as the FBI, as a “best practice.” The regulator notes that law enforcement may be able to assist victims of cyber-attacks, including recovering lost data and missing funds and potentially prosecuting cybercriminals.

Conclusion

Given the increasingly aggressive stance undertaken by NYDFS with respect to compliance with the Cybersecurity Regulations set forth in 23 NYCRR Part 500, it is critical for licensed companies to ensure that they have appropriate and well-documented cybersecurity controls, policies and procedures in place. Failure to do so may subject companies to hefty fines and penalties, enforcement actions or even the revocation of their licenses.

© 2021 Wilson ElserNational Law Review, Volume XI, Number 221
Advertisement

About this Author

Anjali C. Das, Wilson Elser, professional liability insurance lawyer, shareholder obligations attorney, illinois
Partner

With nearly two decades of experience, Anjali Das represents insurers in connection with professional liability insurance coverage matters and claims involving accounting, finance and other complex business issues. She is a coordinating partner for the firm’s Directors & Officers practice and a member of the Diversity Committee.

Anjali represents the interests of U.S., London and Bermuda-based primary and excess insurers in high-exposure claims against directors and officers of public and private companies, non-profit boards, financial...

312.821.6164
Advertisement
Advertisement
Advertisement