New York Superintendent of Financial Services Linda A. Lacewell announced that First Unum Life Insurance Company of America and Paul Revere Life Insurance Company will pay a $1.8 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of consumers nationally and hundreds in New York.
“The Department requires all regulated licensees to prioritize cybersecurity and safeguard consumer personal, non-public data,” said Superintendent Lacewell. "The cornerstone of our Cybersecurity Regulation is ensuring that all private data is protected, and this is not just an aspirational goal. We remain committed to ensuring that cybersecurity is treated with the urgency it requires so as to best protect New York consumer data.”
The Companies, licensed life insurance companies, collect private data during their day-to-day operations. The Department’s investigation found that the Companies had been the subject of two phishing attacks in 2018 and 2019.
These cyberattacks, which involved phishing e-mails designed to harvest employee e-mail account credentials, compromised the email accounts of several First Unum and Paul Revere employees, who have access to a significant amount of sensitive and personal data of the Companies’ customers.
The investigation uncovered, among other things, that First Unum and Paul Revere violated the DFS Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Company’s Chief Information Security Officer. Further, both First Unum and Paul Revere falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018 because MFA was not fully implemented.
As part of the settlement, the Companies agreed to pay a $1.8 million monetary penalty and to implement further improvements to their existing cybersecurity program to ensure that their cybersecurity controls are fully compliant with the Cybersecurity Regulation.
DFS’s Cybersecurity Regulation became effective in March 2017. The Cybersecurity Regulation was drafted with substantial industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.
DFS’s Cybersecurity Regulation has served as a model for other regulators, including the Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors.