NYDFS settles with insurance companies over failures in their cybersecurity programs

By Dan Pepper (US) & Remi Gambino (US) on December 5, 2024

On November 25, 2024, the New York State Department of Financial Services (“NYDFS”) announced it settled with two large insurance companies over allegations of inadequate data security practices in violation of New York’s cybersecurity regulation (23 NYCRR Part 500) (the “Cybersecurity Regulation”) that led to the compromise of more than 120,000 New Yorkers’ personal information. The Cybersecurity Regulation defines standards for cooperative industry compliance, robust consumer data protection, cybersecurity controls, and timely reporting of cybersecurity events. Threat actors targeted online auto insurance quoting applications, obtaining Nonpublic Information (“NPI”) such as driver’s license numbers and dates of birth, which were then used to file fraudulent unemployment claims during the COVID-19 pandemic. In total, the two insurers agreed to pay $11.3 million in penalties, $9.75 million for the first insurer, and $1.55 million for the second.

While the settlement orders sanction two companies in the insurance industry, many other companies regulated by the NYDFS could be similarly vulnerable to threat actors due to inadequate cybersecurity programs, and therefore exposed to hefty penalties from the NYDFS.

The Consent Orders

In the case of the first insurer, the threat actors were able to take advantage of the insurer’s website architecture to initiate queries for auto insurance pricing with stolen identities. The threat actors then extracted the full unredacted driver’s license number returned by the website. When the insurer remediated this issue, the threat actors started targeting another public-facing web application. The attackers leveraged an open application programming interface (“API”) in the auto insurance quoting tools and were able to obtain additional driver’s license numbers by querying the API using the session token from the auto insurance purchase page as a valid identifier. Although the insurance company received several alerts from the NYDFS about a coordinated campaign against the auto insurance industry, this vulnerable architecture was not identified by the insurer until the threat actor attempted to ransom the insurer over the compromised information.

Most notably, the NYDFS found that insurance company did not implement an adequate cybersecurity program in violation of the Cybersecurity Regulation. The company failed to perform regular risk assessments (Part 500.9), and annual penetration testing (Part 500.5). For example, at the time of the latest cyber incident in November 2021, the most recent risk assessment came from a 2018 penetration testing conducted by a third-party. This penetration testing was limited in scope as it did not consider NPI collected or stored on the insurer’s information systems. Nevertheless, the third-party who conducted the penetration testing had alerted the insurance company about the importance of encryption of its sensitive information and recommended sanitizing public-facing web servers and applications. The NYDFS also determined that insurance company failed to implement adequate continuous monitoring (Part 500.5), which might have mitigated the impact of the incidents by alerting the company to the abnormal traffic to the API exploited by the threat actors.

Regarding the second insurer, the threat actors targeted an auto insurance quoting tool used by the insurer’s independent agents. The threat actors leveraged compromised credentials to access the NPI available on the agent’s portal. Leading up to the cyber incident, the insurance company received multiple industry alerts about threat actors conducting credential stuffing attacks resulting in the acquisition of driver’s license numbers through similar online quoting tools. Although the insurance company was in the process of implementing multifactor authentication (“MFA”) on the agents’ accounts, the accounts used by the threat actors did not have MFA enabled at the time. Additionally, the NYDFS found that independent agents may have been using shared credentials, in violation of the company’s access control policies. Once they had gained access to the agents’ instant quote portal, the threat actors were able to generate reports that included full driver’s license numbers in plain text for approximately 4,000 New Yorkers.

In the settlement order with the second insurer, the NYDFS highlighted the weaknesses of the insurance company’s access controls in violation of several sections of the Cybersecurity Regulation. Specifically, the company failed to limit user access privileges to systems with NPI by implementing robust access controls such as MFA (Part 500.7). Additionally, despite having contracts in place with the independent agents to prohibit sharing credentials, the NYDFS found during its investigation that the insurance company was aware that independent agents may have been using shared credentials, therefore violating the Cybersecurity Regulation (Part 500.3(d)).

Our Take

Covered entities subject to the Cybersecurity Regulation should consider the following actions considering these enforcement actions:

Develop a risk-based cybersecurity program and revise such program based on periodic risk assessments.
Allocate appropriate resources to conduct vulnerability assessments on a regular basis, penetration testing on an annual basis, and establish a budget and an action plan to improve the covered entity’s cybersecurity posture based on the results of such assessments.
Implement robust cybersecurity policies and establish adequate processes and controls to confirm that they are effectively put in place by the covered entity’s personnel. Covered entities should clearly communicate to employees that sharing credentials puts the entire organization at risk.
Covered entities with public-facing applications transmitting NPI should prioritize robust access controls such as MFA and encrypt sensitive information as appropriate.