Superintendent Harris has been busy on her way out the door:
– In addition to issuing several pieces of guidance in the past few weeks, she announced Consent Orders with 8 insurance firms and brokers resolving an investigation involving attacks on agent and consumer portals that allegedly exposed consumer information. According to the DFS press release:
– “Farmers Insurance Exchange will pay $2.775 million; Hagerty Insurance Agency, LLC will pay $1.85 million; Hartford Fire Insurance Company will pay $3 million; Infinity Insurance Company will pay $2.25 million; Liberty Mutual Insurance Company will pay $2.7 million; Metromile Insurance Company will pay $2.05 million; Midvale Indemnity Company will pay $2 million; and State Automobile Mutual Insurance Company will pay $2.5 million in civil monetary penalties to the State of New York. ”
– “The DFS investigation concluded that the auto insurance companies did not comply with DFS’s cybersecurity regulation, which requires them to implement policies, procedures, and controls designed to protect consumer data and the information systems of the financial institutions themselves. As a result, threat actors were able to access consumer nonpublic information (NPI) stored on and accessible through their information systems, including driver’s license numbers, via public-facing web applications and agent portals that the insurance companies used to provide automobile insurance quotes to prospective customers. DFS alerted all regulated entities of these attacks in two industry letters, dated February 16, 2021 and March 30, 2021.
In addition to the failures described above, Farmers and Infinity failed to timely report their respective cybersecurity events. This notice requirement is a critical safeguard that enables the Department to carry out its responsibility to protect consumers.”
– “As part of the settlements, each company has agreed to conduct remedial measures, including conducting a comprehensive review of the accessibility of consumer NPI stored on their information systems.”
According to DFS, the Office of the New York State Attorney General and DFS conducted a coordinated investigation.