Cyber Enforcement Hits Hard: New York DFS Imposes $19 Million In Penalties

The New York State Department of Financial Services (DFS) recently announced a $19 million aggregate penalty against eight auto insurance companies for violations of its cybersecurity regulation. As a result of inadequate cybersecurity controls, threat actors were able to access consumer nonpublic information, including driver's license numbers and dates of birth, using online automobile insurance quoting applications.

The resulting penalties confirm that DFS scrutiny focuses not just on the occurrence of a breach, but on the integrity of compliance programs and the necessity of timely incident reporting. For entities regulated under the DFS Cybersecurity Regulation (23 NYCRR Part 500), this enforcement action serves as a crucial reminder: Compliance is a critical step to mitigate severe financial and operational risk.

1. 72-Hour Reporting Mandate

The most immediate financial risk for regulated entities under 23 NYCRR 500.17 stems from the mandatory reporting requirement triggered by certain cybersecurity events. A cybersecurity event is broadly defined and generally covers a wide array of security occurrences, from attempted breaches to successful intrusions. However, the mandatory 72-hour clock is only triggered when a cybersecurity event meets specific criteria and is deemed a cybersecurity incident.

• Rule: A Covered Entity must notify the Superintendent "as promptly as possible but in no event later than 72 hours" from the time the entity makes a determination that a cybersecurity incident has occurred.
• Triggers: Reporting is mandatory only when the cybersecurity event escalates into a cybersecurity incident that meets at least one of the following criteria: (1) it requires notification to any government body, self-regulatory agency, or any other supervisory body; (2) it has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity; or (3) it results in the deployment of ransomware within a material part of the covered entity's information systems.
• Implications of Delay: DFS investigations have demonstrated a willingness to impose significant financial penalties when reporting is delayed. Prior enforcement actions have repeatedly shown that delayed notification escalates a cybersecurity incident into a severe regulatory compliance failure. Consequently, adherence to this reporting clock is the most critical action an entity can take to control its risk exposure immediately following an incident.

2. DFS Enforcement Trends

The $19 million aggregate penalty against auto insurers is evidence that DFS is enforcing its full statutory authority. This significant financial action signals that DFS penalties are not only assessed on a single failure but also on the accumulation of multiple violations of the Part 500 regulation. Further, delayed reporting has the potential to serve as the entry point for a wider compliance audit.

Penalties are often driven by key programmatic deficiencies uncovered during investigations such as:

• Inadequate Testing: Failing to implement required penetration testing and bi-annual vulnerability assessments means systematic weaknesses went undetected prior to an incident.
• Governance: Violations stemming from inadequate executive oversight, including the filing of improper annual compliance certifications.

3. Risk Management Considerations

In light of the DFS's enforcement activity, regulated entities should prioritize a strategic review of their compliance structure to:

• Review Incident Response Protocols: Incident Response Plans should clearly define the exact moment of "determination" of a reportable event to ensure the organization can notify as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred.
• Confirm Access Control Implementation: Ensure comprehensive Multi-Factor Authentication is implemented across all appropriate channels and that privileged access is strictly managed, aligning with the enhanced requirements of Part 500.
• Confirm CISO Attestation Integrity: Conduct a documented assessment to validate the maturity and effectiveness of key security controls. This is essential to support the integrity of the CISO's attestation and mitigate risks associated with improper certifications.
• Conduct Mandated Testing and Assessments: Ensure adherence to the requirements for conducting an annual penetration test and biannual vulnerability assessments. These proactive, documented measures are critical for regularly evaluating the effectiveness of controls and providing the necessary audit trail to demonstrate continuous compliance during regulatory reviews.

The recent $19 million settlement against auto insurance companies sends a clear signal that the DFS considers cybersecurity compliance a top enforcement priority. Regulated entities can adopt a proactive approach to risk management by focusing on timely reporting, robust governance, and implementing core technical controls to mitigate risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.