Two new cybersecurity enforcement actions from NYDFS, against GEICO and Travelers Indemnity Co. Enforcement takeaways are (according to DFS allegations):
• GEICO experienced three cybersecurity events in a short period of time primarily involving customer interfaces for obtaining quotes and submitting claims and the web portal for GEICO agents, allowing threat actors to obtain driver license and other personal information of customers.
• GEICO only discovered the third cyber event after threat actors sought to obtain ransom in exchange for return of customer data.
• NYDFS threw the Cybersecurity Regulation book at GEICO, finding inadequacies in (i) its risk assessment, (ii) implementation of the risk assessment, (iii) implementation of cyber policies, (iv) lack of encryption, (v) insufficient access controls, (vi) insufficient monitoring and (vii) inadequate penetration testing. This explains the high penalty of $5 million for this type of matter.
• Travelers experienced a Cybersecurity Event when a threat actor obtain login credentials to the portal used by Travelers’ agents and used it to obtain PII of at least 40,000 customers.
• NYDFS determined that Travelers’ access control policy was insufficient because it allowed agents to share their login credentials with others, including due to the failure to implement multi-factor authentication for this application. NYDFS penalized Travelers $1.2 million for the alleged deficiencies.
• The NYAG brought parallel actions under GBL § 899-bb and Exec. L. § 63(12), as some of the threat actors targeting insurance companies such as GEICO and Travelers used the PII illegally obtained to file fraudulent unemployment insurance claims with New York State during the COVID pandemic. Total penalties to GEICO were $9.75 million and to Travelers $1.55 million.