On March 3, 2021, the New York State Department of Financial Services (NYDFS) announced a settlement with Residential Mortgage Services, Inc. (RMS) for $1.5 million in connection with its violation of the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500). This is the second publicly-announced settlement of an enforcement action brought under NYDFS’s novel cybersecurity regulation (we wrote about the first action).
According to the consent order, in March 2020, NYDFS’ Mortgage Banking Division commenced a routine examination of RMS, which included a review of its compliance with Part 500. RMS is headquartered in Maine, but it is registered as mortgage banker in New York and other states. During the examination, NYDFS determined that RMS failed to report a March 2019 data breach incident, as required by Part 500.
Continue reading “New York Department of Financial Services Announces $1.5 Million Settlement of Second Cybersecurity Enforcement Action”
On April 13, 2020, the New York Department of Financial Services (NYDFS) issued new guidance to all New York State Regulated Entities to highlight “a significant increase in cybercrime” related to the COVID-19 epidemic. NYDFS’s guidance identified “several areas of heightened cybersecurity risk as a result of the crisis.” These risks include:
- Remote Working – The mass shift to remote working forced by COVID-19 has created new security threats which are being exploited by hackers. Regulated entities should take proactive steps to address these new security threats. Among other things, regulated entities should take steps to make their remote access as secure as possible by using multi-factor authentication and VPNs. Companies also should ensure that devices used to access networks are properly secured and/or controlled. Regulated entities also must take steps to ensure the security of remote working communications, like video conferencing applications. Finally, companies should ensure that employees are not accessing or sending sensitive or non-public information through personal email accounts or devices.
Continue reading “New York Department of Financial Services Issues New Guidance Regarding COVID-19 Cybersecurity Risks”
The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (“Model Law”) in October 2017. The purpose of the Model Law is to establish standards for data security and the investigation of and notification to the Insurance Commissioner of a Cybersecurity Event, but is not intended to create a private right of action.
The Model Law is based largely on the New York Department of Financial Services’ Cybersecurity Regulations, 23 NYCRR 500 (“NYDFS Cyber Regulations”), which took effect on March 1, 2017.  In fact, a drafting note to the Model Law indicates that compliance with the NYDFS Cyber Regulations is intended to constitute compliance with the Model Law.
Continue reading “NAIC Adopts Insurance Data Security Model Law”