State, Federal Regulatory Enforcement a Focus as Cyber Crime Grows
Ransomware attacks are on the rise and cyber risks continue to mount
By: Elizabeth Blosfield | August 4, 2021
As ransomware attacks are on the rise and cyber risks continue to mount, experts say there has been “a paradigm shift in cybersecurity enforcement.”
That’s according to Matt Levine, a partner in Phillips Nizer’s litigation department in its New York office, in the most recent episode of The Insuring Cyber Podcast. Levine has experience in criminal, civil and regulatory litigation and previously served as the first executive deputy superintendent for enforcement at the New York State Department of Financial Services (DFS).
New York led the charge as the first state to apply GDPR-like cybersecurity regulations for its financial services industry with DFS’ cyber rules – often referred to as Part 500 – implemented under a phased two-year timeline beginning in March 2017.
The regulation aims to protect New York’s financial services industry from the threat of a cyber attack and is the first cybersecurity regulation of its kind in the U.S. It has since served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states and the National Association of Insurance Commissioners.
DFS last year filed the first cybersecurity charges under its regulation, which were levied against First American Title Insurance Company for exposing millions of documents containing consumers’ personal information. Since then, the department has issued several enforcement actions, with a particular focus on insurance companies, Levine says.
“I think people in the insurance industry need to be prepared for regular cybersecurity enforcement actions,” he says.
Later in the episode, Emily Ruzic, an associate at national law firm Bradley, emphasizes the heightened level of focus that should be placed on cybersecurity as cyber incidents and cyber regulatory enforcement alike are increasing.
“As much as the companies spend on their cybersecurity protocols, the bad guys are working hard too, and so they’re finding vulnerabilities in even companies that have taken the absolute best steps to protect themselves,” she says.
Levine says that in order to prepare, insurers and other regulated entities need to have an incident response plan in place that includes a plan to notify the appropriate regulatory entities in case of an attack.
“It’ll specify who in the chain of command is responsible for it, and it’ll specify things like documentation and other things related to governance, so that it’s noted in the record and is available for the records in the subsequent examination,” he says. “A second thing that’s important for being prepared is having a CISO (chief information security officer) that is experienced in incident response.”
Finally, he says, companies should invest in doing tabletop exercises, which he describes as “a practice run on a breach incident.”
“This is something that not everybody does,” he says. “I think there is some lip service paid to it, but I think it could be done more.”
As far as DFS is concerned, Levine says enforcement of its cyber rules has been a priority for the agency for several years, and insurers and other regulated entities need to be paying attention as more enforcement actions come to fruition.
“I think insurers and other financial entities need to know that DFS is serious about this, and in the larger environment of enforcement, federal regulators … the FTC, the SEC, the OCC, and others are paying more attention to this,” he says.
Indeed, Ruzic wrote in an article for JD Supra that the FTC back in 2017 announced a record year of enforcement actions regarding consumer privacy, bringing nearly two hundred privacy and data security cases that year alone. Since then, its focus on cybersecurity enforcement has only increased, she says.
“Every day, you turn on the news and you hear about another company that’s had a cyber incident,” she says. “The FTC is really keeping up with that and focusing a lot of resources on cyber events.”
With this in mind, she says regulatory components to cyber insurance policies are becoming increasingly valuable as data-breach enforcement continues to surge.
Cyber regulatory defense and penalties coverage is a type of insurance that can cover fines and penalties in the event a company faces a cyber regulatory action. Cyber policies can also provide coverage for defense and investigative costs in connection with governmental investigations, Ruzic says.
“I think it’s definitely something that companies need to look into, because damages and penalties can get pretty high,” she says.
Ruzic adds that often, penalties are assessed based on the number of people that were affected in a particular cyber incident against a company, so things can get expensive quickly.
“There could be one minor intrusion, but then a million people’s data gets out and then you’re looking at penalties,” she says. “Even if it were just $5 a person, then you could upgrade to a significant amount that quickly.”