Insurance Company Hit with $3 Million Penalty for Cybersecurity Violations

National Securities Corporation, a licensed insurance company, will pay a $3 million penalty to New York State for violations of the Department of Financial Services’ Cybersecurity Regulation. The DFS investigation revealed that National Securities had experienced four cyber breaches between 2018 and 2020, two of which were never reported to the DHS as required by the Cybersecurity Regulation. The violations caused exposure of “a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers,” since the cyber breaches involved unauthorized access of the e-mail accounts of National Securities employees and independent contractors. A chief violation was that National Securities failed to implement Multi-Factor Authentication and “reasonably equivalent or more secure access controls approved in writing by the Company’s Chief Information Security Officer.” As a result, National Securities falsely certified compliance with the Cybersecurity Regulation for 2018, due to the fact that MFA was not fully implemented. As part of the settlement, National Securities agreed to the $3 million penalty and began improvements to its existing cybersecurity program, ensuring full compliance with the Cybersecurity Regulation.

DFS Press Release 04.14.21