The NYS Department of Financial Services (“DFS”) has recently announced two multi-million dollar settlements and has increased enforcement of its Cybersecurity Regulation. It is important to note that DFS has announced three enforcement actions since early March 2021 whereas there were no enforcement actions announced in the prior six months. Enclosed below are the two most recent enforcement actions.
On April 14, 2021, DFS announced a $3 million penalty and enforcement action against National Securities Corporation (“NSC”), a regulated insurance company. The DFS investigation uncovered that NSC had suffered four cyber breaches in the prior years and had not reported two of them as required by DFS’s Cybersecurity Regulation. Notably, each of the breaches involved the unauthorized access of the NSC employee email accounts to gain credentials to customer data. Moreover, DFS found that NSC failed to implement Multi-Factor Authentication, “and without implementing reasonably equivalent or more secure access controls approved in writing,” and, thus, NSC also falsely certified compliance with DFS’s Cybersecurity regulation.
See DFS’s announcement here – https://dfs.ny.gov/reports_and_publications/press_releases/pr202104141
A mere four weeks later, on May 13, 2021, DFS announced a $1.8 million penalty and enforcement action against the First Unum Life Insurance Company of America and Paul Revere Life Insurance Company. Similar to NSC, DFS found that the companies had been the subject of phishing attacks targeting employee email accounts to gain credential to customer data. As with NSC, DFS also found that the companies failed to implement Multi-Factor Authentication and, thus, falsely certified compliance. See DFS’s announcement here – https://dfs.ny.gov/reports_and_publications/press_releases/pr202105131
In sum, DFS is clearly signaling that it is ramping up enforcement of its Cybersecurity Regulation, however, DFS appears to be starting with some of the more reasonable and easier to implement cybersecurity measures. If it has not been accomplished already, management should immediately conduct a risk assessment and ensure its organization is fully compliant with DFS’s Cybersecurity Regulation. Management must continue to make cybersecurity one of its top priorities to mitigate risk and protect its organization from cyber-criminals as well as debilitating DFS investigations and enforcement actions.