Insuring Against the Inevitable: Lessons from a $4.5 Million Cybersecurity Fine

As more and more sensitive information is shared and stored digitally, the risk of cyber attacks rises dramatically. This has made it essential for insurance companies to implement basic cyber security measures to protect themselves and their customers from devastating data breaches. Similar to football, where blocking and tackling are fundamental to success, basic cyber security practices are essential for safeguarding against cyber attacks. 

The New York State Department of Financial Services (NYDFS) Part 500 is leading the way nationally for cyber regulation. The timeline below showcases a handful of insurance companies that have been fined for not complying with NYDFS Part 500 Cyber Regulation.

The cases listed above have common themes, like a lack of multi-factor authentication (MFA) and inadequate risk assessments.

However, the EyeMed breach, listed on the right side, stands out because the number of issues found resulted in a sharp increase in the fine over the ten month investigation after the initial fine was levied. In total, the breach resulted in 6 years’ worth of consumer data that impacted 2.1 million individuals. Most of the consumer data was taken from a shared EyeMed email inbox that contained Non Public information (NPI) including Social Security Numbers (SSN) and other medical information.

The original settlement required EyeMed to conduct regular penetration testing, encrypt sensitive consumer information, and implement updated security protocols. However, the fine was increased to $4.5 million because EyeMed did not disclose that a bad actor sent at least 2,000 phishing emails from the compromised account during the week before discovery. The emails impersonated proposal requests that aimed to dupe victims into sharing their credentials. EyeMed also did not conduct a risk assessment until over a year after the breach. 

EyeMed Root Causes 

There are four root causes that the NYDFS cited as the cause of the breach:

1. MFA: At the time of the attack, EyeMed was in the process of rolling out MFA for its email accounts—but the affected account had not yet been included in the rollout.
2. Password Requirements: The affected mailbox was protected by a weak password.
3. Shared Accounts: The affected mailbox was shared by nine EyeMed employees. 
4. Incomplete Risk Assessment: EyeMed received third-party IT audits and a review of its enterprise risk management (ERM). However, the NYDFS found these audits and reviews did not meet the standards set out in Part 500 and were inadequate. This was evidenced by the fact that none of the assessments addressed the risk of storing NPI in the shared inbox. 

Regulatory Landscape Updates 

While all these fines are shocking, it is important to note they are only the financial impacts from a regulatory perspective. These numbers do not include investigative costs and reputational damage. 

As cyber risks grow, regulators are stepping in to enforce and monitor compliance. The second amendment to the NYDFS Part 500 has increased requirements around MFA, risk assessments, phishing, and security training. Part 500 is a yardstick for cyber regulation across the country and it is likely these changes will have a ripple effect for cyber regulation across the country. 

Navigating the Changing Regulatory Landscape 

Johnson Lambert’s advisory and consulting practice can help engage in conversations with key personnel and stakeholders, review reports and policies, perform a walkthrough of critical cybersecurity processes to assess potential cybersecurity program gaps, meet with management to co-develop risk assessment and recommendations for improvements, developing a roadmap for next steps to improve the cybersecurity processes, and performing a cybersecurity risk pre-assessment to determine the effectiveness of the program.