The New York Department of Financial Services (“NYDFS”) recently announced that it has entered into a Consent Order with two affiliated life insurers for alleged violations of New York’s Cybersecurity Regulation (the “NY Cybersecurity Regulation”). The NYDFS conducted an investigation and determined that the two life insurers (the “Companies”) had been the subject of two phishing attacks in 2018 and 2019, which compromised the email accounts of several of the Companies’ employees, providing access to a significant amount of sensitive and personal data of their customers. The NYDFS indicated that its investigation revealed the Companies allegedly violated the NY Cybersecurity Regulation by failing to implement MultiFactor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Companies. Additionally, the NYDFS alleged the Companies falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented. The NYDFS also alleged that the two data breaches resulted in the exposure of numerous non-public personal data belonging to the Companies’ customers.

Under the Consent Order, the Companies agreed to: (1) pay a $1.8 million monetary penalty to the State of New York; (2) conduct a cybersecurity risk assessment within 120 days of the effective date of the Consent Order and submit the assessment results to the NYDFS; and (3) have an independent third party audit conducted of current MFA controls and submit the results to the NYDFS within 120 days of the effective date of the Consent Order to ensure the Companies’ cybersecurity programs fully comply with the NY Cybersecurity Regulation.

The NY Cybersecurity Regulation became effective in March 2017, and it has served as a model to other states, as well as the National Association of Insurance Commissioner’s Insurance Data Security Model Law (“Model Security Law”), which applies to insurers, insurance agents, third party administrators and other entities licensed by the state insurance departments. The Model Security Law requires insurance entities to establish and maintain a cybersecurity program designed to protect the confidentiality and integrity of their Information Systems, as well as any consumer non-public information.

Additionally, the Model Security Law requires covered entities to (1) certify compliance with the Model Security Act annually, (2) have a written incident response plan, (3) develop and maintain a comprehensive written security program based on the entity’s risk assessment, and (4) conduct risk management and risk assessment activities, including employee training and maintaining updates to network systems.

The Model Security Law or related legislation has been adopted in the following states: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee and Virginia.