The SEC has settled an enforcement action against a large title insurer in connection with public statements and disclosures made by the company in May 2019 relating to a data security incident. The underlying data security incident was the subject of the first set of charges brought by the New York Department of Financial Services […]
Crisis & Data Breach Response
New York and Illinois Regulators Recommend Third Party Cybersecurity Review For Specific Vulnerabilities
This month, the Illinois Department of Insurance issued guidance to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guidance. In the Bulletin dated May 5, the Department encourages regulated entities to “assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact.” The […]
NYDFS Issues Report on the SolarWinds Attack and Covered Entities’ Responses
Following the SolarWinds cyber espionage attack (the “Attack”) and the resulting focus on supply chain risk, the New York Department of Financial Services (NYDFS) has issued a report detailing the impact on and responses by its regulated covered entities to the Attack. Although there have been no reported instances of active exploitation of DFS-regulated companies […]
FBI Releases IC3 2020 Internet Crime Report Showing Record Increase in Cybercrime
The FBI’s Internet Crime Complaint Center (“IC3”) recently released its annual report, the 2020 Internet Crime Report (“Report”), which gathers statistics from nearly 800,000 complaints of suspected cybercrimes that the department received in 2020. This is a record number of complaints—a 69% increase from 2019—with reported losses exceeding $4.2 billion. According to the FBI, the […]
NYDFS Announces Cybersecurity Settlement, Addresses Multi-Factor Authentication Rules
On April 14, 2021, the New York Department of Financial Services (“NYDFS”) announced a settlement with National Securities Corporation (“National Securities”), a licensed insurer, in connection with claims under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The consent order requires payment of a $3M penalty and mandatory remediation in response to alleged failures to […]