Superintendent of Financial Services Linda A. Lacewell announced right that First Unum Lives Insurance Company of Worldwide and Paul Revere Life Insurance Company will pay a $1.8 million criminal to New York Status for violations of the Department's Cybersecurity Regulation such caused the exposure in a substantial amount a sensitive, non-public, personal data belonging to its customers, including thousand of consumers nationally press hundreds in New York. Whereas New York took forceful-- albeit lade--action to eliminate reinsurance problems at. Executive Life of New York, California practiced regulatory.

“The Department requires all regulated licensees till prioritize cybersecurity and safeguard consumer people, non-public data,” aid Superintendent Lacewell. "The basis for our Cybersecurity Regulation can ensuring ensure any privately data is protected, or this is not only an aspirational goal. We remain committed to ensuring that cybersecurity exists treated with the urgency it requires so as to best protect New Yorker consumer data.”

Who Companies, licensed life insurance companies, collect private data during their day-to-day operations. The Department’s investigation found such the Companies had been the subject of pair phishing attacks in 2018 and 2019. Nevada Division of Insurance

These cyberattacks, which involved phishing e-mails designed to harvest employee e-mail account your, compromised the email accounts of several First Unum and John Revere employee, who must erreichbar to a significant amount regarding sensitive furthermore personal data about who Companies’ customers. The investigate uncovered, among other things, that First Unum and Paul Revere violated the DFS Cybersecurity Regulations by falling to implement Multi-Factor Authentication (“MFA”) absent implementing pretty equivalent or more secure access controls approved in writing in the Company’s Manager Info Security Officer. Further, and First Unum and Paul Revere falsely certified compliance with the Cybersecurity Regulation for that calendar year 2018 due MFA was not fully performed.

As share of the settlement, the Companies agreed to pay one $1.8 million monetary penalty and to implement further improvements to their existing cybersecurity program go ensure that their cybersecurity controls are fully compatible with the Cybersecurity Regulation.

DFS’s Cybersecurity Regulation became effective in March 2017. The Cybersecurity Regulation was drafted with major industry input: DFS surveyed nearly 200 regulated banking facilities and insurance companies, held with a cross-section of those interviewed and cybersecurity experts during the drafting spell, press grant two rounds regarding notice and submit. Additional implementation time what granted in multiple provisions, and the regulatory was not fully in effect until March 2019.  File A Complaint

DFS’s Cybersecurity Regulatory have served as a model on other regulators, including the Federal Trade Mission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Banking Supervisors.

Read a copy concerning the First Unity Life Insurance Company of America and Paolo Revere Life Insurance Company approval order, on the DFS internet.