As the June 10 close of session quickly approaches, the Assembly and Senate introduced and moved hundreds of bills the past couple of weeks. The Senate wrapped up their regularly scheduled Committee meetings and the Assembly will continue to hold Committee meetings until the week before they adjourn for the year.
COVID-19 Executive Orders and Guidance
Following the Governor’s announcement of the lifting of the mask mandate on May 19, the Department of Health released guidance on these new social distancing requirements. The document includes a flow chart that guides businesses in following the new mandates. Governor Cuomo signed Executive Order 202.109 on May 25, which extended all previous mandates and the declaration of the State Disaster Emergency until June 24, 2021.
Regulation 187 - DFS Appeals to New York Court of Appeals
As last reported, at the end of April 2021, the New York Appellate Division, Third Department, entered a decision in the case of In the Matter of Independent Insurance Agents and Brokers of New York, Inc. v. New York State Department of Financial Services, finding that Regulation 187 is unconstitutional on the grounds of vagueness. As anticipated, on May 27, 2021, the Department of Financial Services (“DFS”) filed a Notice of Appeal to the Court of Appeals.
Cyber Violation Found Against an Insurer
DFS has continued its enforcement of violations of its Cybersecurity Regulation. DFS entered into a consent order with First Unum Life Insurance Company of America and Paul Revere Life Insurance Company for violations of the Cybersecurity Regulation. The companies will pay a fine of $1.8 million. DFS’s investigation found that the companies had been the subject of two phishing attacks which compromised the email accounts of several employees. The investigation uncovered that the companies violated the Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls. Further, they falsely certified compliance with the Cybersecurity Regulation because MFA was not fully implemented.
Cyber Violations – It’s Not Just for Insurers
DFS also fined Residential Mortgage Services, Inc. (“RMS”) $1.5 million for violations of the Cybersecurity Regulation. An examination uncovered evidence that RMS had been the subject of a cyber breach which had not been reported to DFS in violation of the Cybersecurity Regulation.
The breach involved unauthorized access to the email account of an employee with access to a significant amount of sensitive personal data of mortgage loan applicants. Until prompted to do so by DFS, RMS failed to conduct an investigation and identify the consumer data exposed.
The employee had responded to a phishing email which contained a hyperlink to a malicious website, which the employee “clicked on.” Upon arrival at the malicious website, the employee was prompted to provide the username and password required to log in to her work email account, and she did.
MFA was in place, and to allow access, the employee also had to provide a second means of authentication. In this instance, the employee did so by tapping the screen of her smartphone to give her approval in response to an alert from an MFA application on her phone; notice that someone was seeking approval to login to her email account. After work hours, the employee tapped her phone screen four times to provide authentication and permit remote access to her email account. The employee granted access even though her workday was over and she was not attempting to access her own email account. The following day, after the fifth such prompt for authentication, the employee notified IT staff of the anomalous activity
DFS concluded RMS violated the Cybersecurity Regulation in failing to timely report the breach and failing to have a comprehensive Cybersecurity Risk Assessment.
DFS Reports on the Solar Winds Cyber Attack
DFS has made clear its view that the next great financial crisis could come from a cyber attack. According to a newly published DFS report, this vulnerability was made clear on December 13, 2020, when it was discovered that a sophisticated adversary used the SolarWinds Orion Platform to plant stealthy backdoors in the networks of thousands of companies and government agencies (“the SolarWinds Attack”). Although most Orion customers were not targeted for a follow-on intrusion, at least nine federal agencies and approximately 100 companies were compromised
During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems. DFS’s investigation and report of the New York’s financial services industry’s response to the SolarWinds Attack concluded that the attack confirms the importance of vigorous third-party risk management, which starts with a thorough assessment of an organization’s third-party risk. DFS found that some regulated companies using Orion were not classifying SolarWinds as a critical vendor, even though Orion had privileged access to the company’s network.
In the Report, DFS stressed that third party risk management is a key part of DFS’s Cybersecurity Regulation, and the Department is exploring ways to further address this critical component of cybersecurity. DFS identified the following cybersecurity measures as critical practices:
• Fully assess and address third party risk.
• Adopt a “zero trust” approach and implement multiple layers of security.
• Timely address vulnerabilities through patch deployment, testing, and validation.
• Address supply chain compromise in incident response plans.
A copy of DFS’s report can be found here.