More cybersecurity enforcement from NYDFS, this time against Carnival Cruise Lines. Enforcement takeaways:
- Carnival Cruise Lines paid $5 million and surrendered its license to be an insurance broker in New York. It had sold life, accident and health insurance to cruise customers.
- NYDFS alleged “significant” violations, including:
- Failure to implement multi-factor authentication;
- Failure to timely report a Cybersecurity Event;
- Inadequate training;
- False certification of compliance with Part 500.
- Four Cybersecurity Events occurred between 2019 and 2021, including involving phishing incidents and ransomeware attacks.
- Sensitive Non-Public Information (NPI) of customers was exfiltrated.
The consent order may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202206241