NYDFS, insurance company reach $1.8 million cyber breach settlement
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b), covered entities are required to implement such protocols (see FAQs here). NYDFS’s investigation also revealed that the insurance company falsely certified its compliance with the cybersecurity regulation for 2018. Under the terms of the consent order, the company will pay a $1.8 million civil monetary penalty and will undertake improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.