Insurance firm EyeMed fined $4.5 million dollars by New York’s Department of Financial Services for failing cybersecurity compliance regulations!
EyeMed fell victim to a hacker in 2020 who compromised six years’ worth of internal information, and used company email accounts to send out over 2000 phishing emails to more victims.
The Wall Street Journal reports that New York Department of Financial Services conducted an investigation and found that EyeMed had failed multiple points of compliance with cybersecurity laws, including performing a third-party risk assessment.
Further, the New York Attorney General alleges that EyeMed also failed compliance with the New York SHEILD act.
As NYDFS prepares new, stricter regulatory updates that are launching within weeks, they are also increasing their penalties and fines to insurance and financial companies.
In the settlement, NYDFS claimed that EyeMed violated seven provisions of the Cybersecurity Regulation: (source dataprotectionreport.com)
- Failure to maintain a cybersecurity risk assessment;
- Failure to implement and maintain a cybersecurity risk assessment and address information security, access controls and identity management, customer data privacy and risk assessment;
- Failure to limit user access privileges with respect to personal information;
- Failure to conduct a risk assessment sufficient to inform the design of the cybersecurity program;
- Failure to implement MFA;
- Failure to have policies and procedures for the secure disposal on a periodic basis of personal information; and
- Improper certification of compliance with the Cybersecurity Regulation.
“The [new DFS] eventual updates, coupled with federal regulations … is raising and raising the accountability for cybersecurity to [a company’s] C-suite and to the board,” Erez Liebermann, Debevoise & Plimpton LLP law firm.
We at Motiva Networks can help prepare your company to be NYDFS and SHEILD Act Compliant. We are the only IT Firm that can assure compliance with both Insurance and State Department Cybersecurity Regulations. Our Compliance as a Service is a “Done For You” compliance assurance where we hit every bullet point the law requires, and we monitor your systems for cyberattacks 24/7/365.
Claim your FREE Cybersecurity Risk Assessment today.