Specialty insurance brokerage Relation Insurance, Inc. announced this week that it experienced a cybersecurity event last summer. The company said that personal information was exposed but that it has "no evidence to suggest actual or attempted misuse" of the information.
What This Means To You:
Relation and six of its affiliated companies hold various New York property-casualty and life insurance licenses. Any Big I New York members who obtain coverage through Relation should be aware that this has happened and monitor the situation accordingly. It is possible that these agencies may have to report the incident to the New York State Department of Financial Services (NYSDFS) in the future.
Relation's announcement said that the company detected unusual activity in an employee's email account last August 15. With the help of a third-party computer forensics specialist, they determined that "an unknown individual" accessed the account on Aug. 14 and 15. The investigators have confirmed that personal information was present in the account. This information included such things as email addresses, Social Security numbers, drivers license numbers, bank account and credit card information, and medical treatment information.
The company said it notified its insurance provider partners of the event in mid-December. A report was also made to law enforcement authorities.
The announcement states, "To date, Relation has no evidence to suggest actual or attempted misuse of information as a result of this event." Nevertheless, it has set up a dedicated assistance phone line for individuals who want more information. They may call 1-844-902-2034 between 9:00 am and 6:30 pm on weekdays.
What You May Need To Do:
As a reminder, New York's Cybersecurity Requirements For Financial Services Companies regulation requires any individual or non-governmental entity "required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law" to report certain "cybersecurity events" to the NYSDFS. The regulation defines "cybersecurity event" as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System."
Relation Insurance's event falls within that definition, but that does not necessarily mean that New York brokers obtaining coverage through them must report it. The regulation requires a cybersecurity event to be reported if it has "a reasonable likelihood of materially harming any material part of the normal operation(s)" of the brokerage. A report must also be made if existing law requires the brokerage to report it to any governmental body or other supervisory body.
New York's recently-enacted SHIELD Act states, "In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person." The report from Relation Insurance does not indicate that this has happened. At this point, it may not be necessary for affected brokerages to report the incident to the New York State Attorney General and the NYSDFS. However, all brokerages doing business with Relation should monitor the situation closely for updates.