The New York Department of Financial Services (“NYDFS”) recently announced it has entered into a Consent Order with an insurance agency for alleged violations of New York’s Cybersecurity Regulation (the “NY Cybersecurity Regulation”). The NYDFS indicated that it had been investigating a Cybersecurity Event that was experienced by the Insurance Agency and that based on its investigation, the Department concluded that the Insurance Agency violated the following sections of the NY Cybersecurity Regulation:

1. The Insurance Agency did not have multi-factor authentication fully implemented for all users in the United States and did not have reasonably equivalent or more secure access controls approved in writing by the Insurance Agency’s Chief Information Security Officer(s) (“CISO”), in violation of 23 NYCRR § 500.12(b);

2. The Insurance Agency failed to maintain, for the required three years, audit trails designed to detect and respond to Cybersecurity Events, in violation of 23 NYCRR § 500.06(b);

3. The Insurance Agency improperly certified compliance with the Cybersecurity Regulation for the 2020 calendar year, in violation of 23 NYCRR § 500.17(b); and

4. The Insurance Agency did not file a certification of compliance with the Cybersecurity Regulation for the calendar years 2018 and 2019, in violation of 23 NYCRR § 500.17(b).

Under the Consent Order, the Insurance Agency agreed to:

1. Pay a $1.9 million penalty to the NYDFS.

2. Continue to strengthen its controls to protect its cybersecurity systems and consumers’ Non-Public Information (“NPI”) in accordance with the requirements of the NY Cybersecurity Regulation.

3. Cyber Maturity Assessment.

   1. Complete a Cyber Maturity Assessment (“CMA”) within 120 days of the effective date of the Consent Order to review its cybersecurity infrastructure and environment following the remediation efforts it has undertaken since the Cybersecurity Event.

   2. Within 90 days of completing the CMA, submit to the NYDFS a copy of the results of the CMA, together with a report prepared by the Insurance Agency containing any steps it will take or has already taken, to address recommendations contained in the CMA.

4. MFA Audit. Within 120 days of the effective date, hire a third-party auditor to conduct an audit of current MFA controls in the various environments utilized by the Insurance Agency and submit the results to the NYDFS. The Insurance Agency must remediate any issues identified within a reasonable timeframe agreed to by the Department.

5. Audit Trail Implementation and Audit. Within 120 days of the effective date, hire a third-party auditor to conduct an audit of the Insurance Agency’s audit trail record retention policy and develop a plan for becoming compliant with Part 500.06 requirements. Upon completion, a copy of the third-party audit will be provided to the NYDFS.

6. Information Security Dashboard. Within 180 days of the effective date, develop an information security reporting system that tracks all Information Security functions taking place at the Insurance Agency and that can be accessed by executives overseeing Information Security. Screenshots or samples of such system are to be made available to the NYDFS upon request.

The recent Consent Order continues a trend toward stepped up enforcement of the NY Cybersecurity Regulation.^[i][ii]

The NY Cybersecurity Regulation became effective in March 2017 and has served as a model to the states, as well as the National Association of Insurance Commissioner’s Insurance Data Security Model Law (“Model Security Law”), which applies to insurance companies, insurance agencies and agents, third party administrators, insurance adjusters and other entities licensed by state insurance departments. The Model Security Law requires insurance entities to establish and maintain a cybersecurity program designed to protect the confidentiality and integrity of their Information Systems, as well as any consumer non-public information. Additionally, the Model Security Law requires covered entities to (1) certify compliance with the Model Security Act annually, (2) have a written incident response plan, (3) develop and maintain a comprehensive written security program based on the entity’s risk assessment and (4) conduct risk management and risk assessment activities, including employee training and maintaining updates to network systems. Many states have adopted the Model Security Law and a number of state insurance departments have filing requirements applicable to licensed entities in their states.

FOOTNOTES

^{[i] April 12, 2021 Polsinelli Client Alert, “First NYDFS Cybersecurity Enforcement Action Arising From a Standard Examination Results in $1.5 Million Penalty”.}

^{[ii] July 12, 2021 Polsinelli Client Alert, “New York Department of Financial Services Announces a $1.8 Million Settlement with Two Life Insurers for Data Breach Violations”.}