Press "Enter" to skip to content

Violations of New York Cybersecurity Regulations Result in $4.5 Million Penalty

nydfs cybersecurity regulationsThe Superintendent for the New York Department of Financial Services recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500

The regulations apply to a “covered entity,” defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

In this case, a phishing attack likely allowed unauthorized access to six years’ worth of consumers’ non-public information. According to DFS, the company failed to:

  1. implement multi-factor authentication (§ 500.12);
  2. limit user access privileges (§ 500.07);
  3. implement sufficient data retention and disposal processes (§ 500.13); and
  4. conduct an adequate risk assessment (§ 500.09).

In addition to the monetary penalty, the company is required conduct a comprehensive risk assessment, to include: a) reasonably necessary changes to address material issues identified in the assessment; b) plans for revisions of controls to respond to technological developments and evolving threats; and c) plans for updating or creating additional written policies and procedures.

To its credit, the company’s “commendable cooperation throughout [the] investigation” was acknowledged by DFS as well as its “ongoing and completed efforts to remediate the shortcomings identified in this Consent Order.”  This is contained in the “Monetary Penalty” section of the Consent Order, so presumably this favorable conduct had a positive impact on the amount of the penalty.


DFS recently announced proposed amendments to its Cybersecurity Regulations that, if implemented, would require:

  • The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. Furthermore, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation;   
  • Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;  
  • Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;  
  • Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and  
  • Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.  

DFS is accepting public comment on the proposed amendments through Jan. 9, 2023. For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit

Photo: finecki/

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.