The New York Department of Financial Services (“NYDFS”) has charged First American Insurance company with multiple section code violations pertaining to cyber security policies. This is NYDFS’s first time charging a company for not adhering to their Cybersecurity Regulation Part 500 of Title 23. The charges held against First American are as follows:

  1. Deficient cybersecurity controls
  2. Failure to follow cybersecurity policies
  3. Neglect to conduct security risk assessment
  4. Failure to remedy security vulnerabilities

These bad practices led to a significant data breach, resulting in the mass exposure of client information including bank account and social security numbers, tax records, and even driver’s license images from October 2014 to May 2019. As their penalty, First American may be fined $1,000-$5,000 per violation. The statement charges and hearing will be held on January 21, 2022, and conducted by Peter C. Dean, Deputy Superintendent at the NYFDS.

The Securities and Exchange Commission (“SEC”) also fined First American for lack of cyber security disclosure controls and procedures. As a result, on May 24, 2019, First American was found to violate the Exchange Act Rule 13a-15 and was fined $487,616.

Financial service firms that do not meet cyber security requirements should heed this news, as it signals an increasing risk of penalty for them.