In the five and a half years since the New York State Department of Financial Services implemented its Cybersecurity Requirements For Financial Services Companies regulation, I had yet to hear of an insurance producer being penalized for violations. Until this week.
As is my habit, I checked the department's website first thing Monday morning and found a news release they had issued last Friday, June 24. The release announced a $5 million penalty against an insurance producer for violations of the regulation.
I should mention that this wasn't any ordinary insurance producer. It was Carnival Cruise Line, the high-profile provider of ocean cruises whose annual revenue shrank to $3.5 billion in the 12 months ending in February 2022.
Apparently, Carnival had New York producer licenses to sell life insurance, accident and health insurance, and variable life/variable annuities insurance. I say "had" because the department's news release reported that the company had surrendered its licenses.
According to the news release, Carnival suffered four cybersecurity events 2019 and 2021, including two ransomware attacks. "These Cybersecurity Events involved the unauthorized access of the companies’ information systems, leading to the exposure of customers’ sensitive, personal data," the statement said.
DFS found that the company had violated five sections of the regulation:
- 500.12, which required them to implement multi-factor authentication
- 500.2, which required them to include in their cybersecurity program a plan to meet reporting obligations to DFS
- 500.17(a), which required them to report a significant cybersecurity event to DFS within 72 hours of determining that it had occurred (the first event was not reported within that timeframe)
- 500.14, which required them to implement policies and procedures designed to detect unauthorized access or use of non-public information
- 500.17(b), which required them to annually submit an accurate certification of compliance with the regulation The department determined that (the certifications filed for calendar years 2018 through 2018 were "improper" because of the missing safeguards)
Insurance agencies and brokerages that qualify for the regulation's limited exemption are exempt from the multi-factor authentication and system monitoring requirements. However, the event reporting and certification of compliance requirements apply to all individual and entities who have New York insurance licenses. Any agency that is not complying with those requirements could also face DFS penalties, though likely not to the tune of $5 million.
The takeaway: DFS is enforcing this regulation. To date, the enforcement actions they've publicized have been against large entities - lenders, insurance carriers, and now a multi-billion dollar travel business. New York licensed agents and brokers should not assume that big targets are the only targets. All "covered entities" (those with New York insurance or financial services licenses or banking charters) are expected to comply with requirements that apply to them. We encourage you to take the obligations seriously.
For more information on how your agency or brokerage can comply with the regulation: