CYBER CORNER

A giant financial technology firm (the “Firm”) is presently the subject of an investigation due to the severity of a recent data breach it experienced. The Firm, which provided software services to various banks around the world, revealed that about 400 gigabytes of data had been stolen from its network by cybercriminals. It is even more alarming that the stolen data first appeared on the dark web under an alias a week prior to the Firm’s first disclosure of the breach. The lapse in notice indicates that it took the Firm a week to either detect or disclose that there was a breach.

This cybersecurity breach raised concerns for similar firms servicing important industries, such as finance. Here, the Firm operated across 42 countries, managing sensitive data for global banking, such as wire transfers and other transactions. Although the Firm maintained that its business operations were not affected by the breach, it has acknowledged that customer data was affected. 

Overall, concerns surrounding cyber resilience, particularly cybersecurity monitoring, have been raised as the Firm was a week late in adequately addressing the cyber incident. Despite the Firm’s sophisticated cybersecurity resources, the recent breach reveals that even advanced firms were not immune to cyberattacks. Also, the breach shed light on the challenges with vendor management in critical sectors such as finance, where only limited providers have the qualified solutions needed. Reliance on third-party vendors in these sectors suggested that financial institutions should implement contractual protections and ensure that vendors were adequately assessed and monitored. 

Moreover, the breach laid out insurance concerns with coverage and cybersecurity. Although some insurance policies address vendor contracts through language like subrogation waivers, the insurer and insured are sometimes left without a clear framework on recovering losses in the event of a breach. As third-party risks grow, cybersecurity and insurance must address gaps in coverage, risk management, and recovery in the event of cyber incidents.  

A 2020 cyber breach exposing personal data of 120,000 New York auto insurance policyholders triggered New York’s stringent Department of Financial Services regulations (locally known as “Part 500”). The hackers stole sensitive information and used the stolen data to fraudulently claim unemployment benefits. The breach, which has led to legal action, sheds light on the inadequacy of some insurance companies’ data security protocols. 

The New York Attorney General (the “AG”) responded to this breach by, once again, utilizing the state’s strict privacy regulations to target two affected auto insurers (the “Insurers”) for their weak data security practices. The Insurers have been fined a combined $11 million and have agreed to implement corrective measures aimed at strengthening cybersecurity measures, conducting risk assessments, and addressing the state’s cybersecurity concerns. 

The AG’s response highlights that compliance with Part 500 is crucial for financial institutions operating in New York. Compliance entails addressing security lapses and implementing measures that meet the standards set forth in the regulation to avoid the imposition of similar penalties. 

Additionally, the importance of cyber insurance cannot be overlooked. Businesses must ensure their cyber insurance contains language that triggers coverage for regulatory actions and is not predicated on the occurrence of a breach. An experienced broker can secure cyber policies that allow for defense costs to be covered for alleged privacy law violations and not just breach-related events. 

Overall, the Insurers’ security lapses and the AG’S aggressive response should serve as a cautionary tale for businesses regarding New York’s proactive approach to privacy law violations, along with the importance of robust cyber insurance policy wording.