Today is April 15, the date by which all entities regulated by the New York State Department of Financial Services must submit a statement to the department, certifying that they complied with the state's financial services cybersecurity requirements regulation last year. It is therefore fitting that I'm writing about two enforcement actions the department recently announced. They give some clues as to the approach the department is taking toward enforcing the regulation.
Neither action involved an insurance agency or brokerage:
Two very different organizations with millions of dollars in assets. Their day-to-day operations are far removed from those of the typical Big I New York member who has eight or fewer employees and revenues that are a fraction of what these businesses take in. Still, if you're an insurance agency that has struggeled to meet the regulation's requirements (and you are,) here are a couple of lessons to take away from these two actions.
If you experience a serious cybersecurity event, you
must report it. Here's what DFS reported about Residential Mortgage Services:
A July 2020 examination uncovered evidence that RMS had been the subject of a cyber breach in 2019 which had not been reported to DFS, in violation of Part 500.17 of the Cybersecurity Regulation.
The breach involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants. Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed.
Similarly, for National Securities:
The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation.
... as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred that is either of the following:
(1) cybersecurity events impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
(2) cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
The events these two businesses experienced exposed consumers' private information. New York law requires such exposures to be reported to law enforcement. Accordingly, the organizations had three days to notify DFS, but the actual reports happened a year or more after the fact. Collectively, they are paying $4.5 million for those mistakes.
Lesson to insurance agents and brokers: If you suffer a cybersecurity event that is either of the two types listed above, 'fess up to it, and fast.
If you've violated one requirement, you've likely violated others, and DFS will look for those violations. Returning to the news release about Residential Mortgage Services:
The findings of the exam concluded RMS violated the DFS Cybersecurity Regulation in failing to timely report the breach, and that
RMS failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation.
Regarding National Securities:
The investigation uncovered, among other things, that National Securities violated the DFS Cybersecurity Regulation in failing to implement Multi-Factor Authentication (“MFA”), and without implementing reasonably equivalent or more secure access controls approved in writing by the Company’s Chief Information Security Officer. Further, National Securities falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018, due to the fact that MFA was not fully implemented.
Once DFS looked into the RMS breach, they found that the lender hadn't done a risk assessment (required by
Section 500.9) and penalized them accordingly. Investigating the National Securities breaches, DFS found that they had not implemented multi-factor authentication, which
they were required to do, and therefore their annual certification of compliance was false. One violation leads to another which leads to another, and next thing you know you're giving $3 million to the New York State government.
Side note: Insurance agencies and brokerages that qualify for the limited exemption are exempt from having to implement multi-factor authentication. However, in coversations, I've heard more than one cybersecurity consultant advise that small organizations implement it anyway. It's one more line of defense to prevent bad actors from infiltrating your computer networks. Big I New York has used it for years; I had to use it this morning in order to write this blog post.
Returning to the lesson: All the requirements are important. If you don't comply with one, and it leads to a serious event, you should expect that DFS will discover it and penalize you for all violations.
From my phone conversations, I have gathered that there are still some agencies with misconceptions about the limited exemption under this regulation. A limited exemption is just that - you are exempt from a limited number of requirements. However, even if you have only two employees and $100,000 in revenue, you must still:
- Perform an assessment of the cyber risks facing your agency
- Implement a cybersecurity program based on that assessment
- Develop written policies and procedures that everyone in your agency must follow to reduce the chances of a cybersecurity event occurring
- Include limits on who within the agency can access non-public information in those policies and procedures
- Include rules for how long to keep non-public information and how to securely dispose of it in your policies and procedures
- Include policies and procedures to verify that any third-party service providers who have access to your network or its data have appropriate cybersecurity measures in place
- Notify the DFS of a serious cybersecurity event and certify to them each year between Jan. 1 and April 15 that you complied with the requirements the previous year.
There is no such thing as an agency that is "exempt" from the regulation. You may be partially exempt, but you must still meet these requirements.
The DFS is actively enforcing this regulation's requirements. I have yet to hear of an agency being the subject of enforcement actions, but I'm not privy to everything the department is doing. I can't stress it enough: Cybersecurity is an essential part of doing business today, whether your business is an insurance agency or a gym. These requirements are to be taken seriously. Learn from the painful lessons these two organizations learned. Protect your clients, your businesses, and your balance sheets.