New York Regulator Issues Second Enforcement Action Under Cyber Rules, Insurance Journal
The New York Department of Financial Services’ (DFS) second enforcement action to date under its cybersecurity regulation underscores the importance of promptly investigating potential cybersecurity events. It also raises questions about whether insurance coverage would be available for amounts paid for alleged violations of the regulation.
On March 3, 2021, DFS announced that it had entered into a settlement with a mortgage lender, Residential Mortgage Services Inc. (RMS), over violations of DFS’ Cybersecurity Requirements for Financial Services Companies. The regulatory enforcement action against RMS is the second such action to date brought under the cybersecurity regulation, which first took effect on March 1, 2017. It’s also the first settlement under the regulation.
DFS’ first enforcement action under the cybersecurity regulation against First American Title Insurance Company was announced in July 2020 and was pending at the time of publication.
The cybersecurity regulation contains various requirements that apply to companies regulated by DFS, such as banks and insurance companies. Among other things, the regulation requires companies to adopt a cybersecurity program to protect consumers’ private information and to conduct periodic risk assessments of their information systems. In addition, the regulation requires companies to provide notice to DFS within 72 hours of certain cybersecurity incidents.