New York Regulator Issues Second Enforcement Action Under Cyber Rules, Insurance Journal

By Eric B. Stern, partner and co-chair of the KD Data Privacy & Cybersecurity Practice Group, and Andrew Lipkowitz, Long Island attorney. Published by Insurance Journal  l  March 23, 2021

The New York Department of Financial Services’ (DFS) second enforcement action to date under its cybersecurity regulation underscores the importance of promptly investigating potential cybersecurity events. It also raises questions about whether insurance coverage would be available for amounts paid for alleged violations of the regulation.

On March 3, 2021, DFS announced that it had entered into a settlement with a mortgage lender, Residential Mortgage Services Inc. (RMS), over violations of DFS’ Cybersecurity Requirements for Financial Services Companies. The regulatory enforcement action against RMS is the second such action to date brought under the cybersecurity regulation, which first took effect on March 1, 2017. It’s also the first settlement under the regulation.

DFS’ first enforcement action under the cybersecurity regulation against First American Title Insurance Company was announced in July 2020 and was pending at the time of publication.

The cybersecurity regulation contains various requirements that apply to companies regulated by DFS, such as banks and insurance companies. Among other things, the regulation requires companies to adopt a cybersecurity program to protect consumers’ private information and to conduct periodic risk assessments of their information systems. In addition, the regulation requires companies to provide notice to DFS within 72 hours of certain cybersecurity incidents.

Read more at the full article.