Financial Services, Information Security, Insurance and IT

Toyota Financial Services discloses a data breach

Security Affairs

DECEMBER 11, 2023

Toyota Financial Services (TFS) disclosed a data breach, threat actors had access to sensitive personal and financial data. Toyota Financial Services (TFS) is warning customers it has suffered a data breach that exposed sensitive personal and financial data.

Financial Services

Financial Services Data breaches Ransomware Insurance

Medusa ransomware gang claims the hack of Toyota Financial Services

Security Affairs

NOVEMBER 17, 2023

Toyota Financial Services discloses unauthorized activity on systems after the Medusa ransomware gang claimed to have hacked the company. Toyota Financial Services confirmed the discovery of unauthorized activity on systems in a limited number of its locations. ” reads a statement published by the company.

Financial Services

Financial Services Ransomware Data breaches Insurance

Vermont Enacts Insurance Data Security Law

Hunton Privacy

JUNE 9, 2022

515 , making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). Information Security Program Requirements. On May 27, 2022, Vermont Governor Phil Scott signed H.515

Insurance

Insurance Security Information Security Cybersecurity

New York Department of Financial Services Issues First Guidance by a U.S. Regulator Concerning Cyber Insurance

Data Matters

FEBRUARY 10, 2021

On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Insurers should: Establish a Formal Cyber Insurance Risk Strategy.

Insurance

Insurance Financial Services Cybersecurity Risk

Historic Charges: First Enforcement Action Filed by New York Department of Financial Services Under Cybersecurity Regulation

Data Matters

AUGUST 19, 2020

On July 21, 2020, the New York State Department of Financial Services (NYDFS or the Department) issued a statement of charges and notice of hearing (the Statement) against First American Title Insurance Company (First American) for violations of the Department’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R.

Financial Services

Financial Services Cybersecurity Insurance Risk

American Insurance firm State Farm victim of credential stuffing attacks

Security Affairs

AUGUST 7, 2019

The American group of insurance and financial services companies State Farm disclosed a credential stuffing attack it has suffered in July. The American group of insurance and financial services companies State Farm revealed that it was the victim of a credential stuffing attack it has suffered in July.

Insurance

Insurance Data breaches Financial Services Passwords

First American Financial Pays Farcical $500K Fine

Krebs on Security

JUNE 18, 2021

In May 2019, KrebsOnSecurity broke the news that the website of mortgage settlement giant First American Financial Corp. NYSE:FAF ] was leaking more than 800 million documents — many containing sensitive financial data — related to real estate transactions dating back 16 years. First American Financial Corp.

Insurance

Insurance Risk Financial Services Mining

NYDFS Updates Its Cybersecurity Regulation to Protect Against Growing Cyber Threats

Hunton Privacy

NOVEMBER 8, 2023

On November 1, 2023, New York Governor Hochul announced that the New York State Department of Financial Services (“NYDFS”) amended its Cybersecurity Regulation applicable to covered financial institutions. Our previous blog post covered key proposed changes to the Cyber Regulation.

Cybersecurity

Cybersecurity IT Compliance Financial Services

A massive DDoS attack took down the site of the German financial agency BaFin

Security Affairs

SEPTEMBER 4, 2023

A distributed denial-of-service (DDoS) attack took the site of the German Federal Financial Supervisory Authority (BaFin) down for some days. It is not clear who is behind the DDoS attack, but the media speculate that it was launched by pro-Russian hacktivists in response to the German financial and military support to Ukraine.

Financial Services

Financial Services Military Insurance Marketing

Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

HL Chronicle of Data Protection

MAY 13, 2019

In the past two years, multiple state bills that have been introduced in the US to provide for cybersecurity requirements and standards to the insurance sector, with recent legislative activity taking place in particular within the States of Ohio, South Carolina, and Michigan. NYDFS: Setting a new bar for state cybersecurity regulation.

Insurance

Insurance Cybersecurity Data breaches Financial Services

NYDFS settles cybersecurity regulation matter for $1.8 million

Data Protection Report

JUNE 2, 2021

On May 13, 2021, the New York Department of Financial Services (NYDFS) announced a $1.8 million settlement with two related insurance companies, relating to violations of two different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2019. NYDFS Cybersecurity Regulation.

Cybersecurity

Cybersecurity Insurance Financial Services Phishing

Security Compliance & Data Privacy Regulations

eSecurity Planet

AUGUST 9, 2022

Regulatory compliance and data privacy issues have long been an IT security nightmare. GDPR (among other legal requirements in the EU and elsewhere) can expose multinational organizations to hefty financial penalties, additional rules for disclosing data breaches, and increased scrutiny of the adequacy of their data security.

Data Privacy

Data Privacy Compliance Privacy Security

U.S. banking regulators order banks to notify cybersecurity incidents in 36 hours

Security Affairs

NOVEMBER 20, 2021

Major cybersecurity incidents are attacks that impact operations of the victims or the stability of the US financial sector. The rule was approved by the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency. The rule aims at forcing banks to quickly respond to cybersecurity incidents.

Cybersecurity

Cybersecurity Financial Services Insurance Ransomware

FTC Seeks Comment on Proposed Changes to its GLBA Safeguards and Privacy Rules

Data Matters

MARCH 12, 2019

Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act.

Privacy

Privacy IT Information Security Insurance

New York State Expected to Increase Enforcement of Cybersecurity Practices

HL Chronicle of Data Protection

FEBRUARY 25, 2020

Companies should take note of two imminent developments in New York in the area of cybersecurity regulation: enforcement of the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (Regulation) and the effective date of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act or Act).

Cybersecurity

Cybersecurity Financial Services Data breaches Insurance

SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned

Data Matters

JUNE 24, 2021

On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information. SEC Statement and Guidance on Public Company Cybersecurity Disclosures.

Cybersecurity

Cybersecurity Financial Services Risk Compliance

BEST PRACTICES: Rising complexities of provisioning identities has pushed ‘IGA’ to the fore

The Last Watchdog

APRIL 3, 2019

Its customer base is comprised of eight of the top 15 banks, four of the top six healthcare insurance and managed care providers, nine of the top 15 property and casualty insurance providers, five of the top 13 pharmaceutical companies, and 11 of the largest 15 federal agencies. Users re-defined. Compliance matters. Talk more soon.

Digital transformation

Digital transformation Insurance Compliance Healthcare

U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks

Data Matters

JANUARY 28, 2022

Other government agencies, like the New York Department of Financial Services and the Federal Trade Commission, are also increasingly focused on the need for broad implementation of MFA. Best Practices to Minimize Disruptions. Like an incident response plan, MFA has become a critical element of cybersecurity programs.

Cybersecurity

Cybersecurity Financial Services Authentication Government

Oracle Critical Patch Update for January 2022 will fix 483 new flaws

Security Affairs

JANUARY 17, 2022

.” The CPU will address critical vulnerabilities in Oracle Essbase, Graph Server and Client, Secure Backup, Communications Applications, Communications, Construction and Engineering, Enterprise Manager, Financial Services Applications, Fusion Middleware, Insurance Applications, PeopleSoft, Support Tools, and Utilities Applications.

Communications

Communications Financial Services Big data Retail

Ransomware infected systems at Xchanging, a DXC subsidiary

Security Affairs

JULY 6, 2020

Systems at Xchanging, a subsidiary of Global IT services and solutions provider DXC Technology was hit by ransomware over the weekend. Global IT services and solutions provider DXC Technology disclosed a ransomware attack that infected systems at its Xchanging subsidiary.

Ransomware

Ransomware Insurance Financial Services Manufacturing

NYDFS settles cybersecurity regulation matter for $3 million

Data Protection Report

APRIL 22, 2021

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020. NYDFS Cybersecurity Regulation.

Cybersecurity

Cybersecurity Financial Services Phishing Compliance

A massive phishing campaign using QR codes targets the energy sector

Security Affairs

AUGUST 16, 2023

Other top 4 targeted industries include Manufacturing, Insurance, Technology, and Financial Services seeing 15%, 9%, 7%, and 6% of the campaign traffic respectively.” Experts warn that the Energy sector was a major focus of this campaign, followed by manufacturing, and insurance. ” continues the report.

Phishing

Phishing Energy and Utilities Insurance Manufacturing

New York SHIELD Act $600,000 settlement

Data Protection Report

FEBRUARY 8, 2022

In total, information for approximately 2.1 According to the settlement agreement, the threat actor obtained access to the EyeMed email account on approximately June 24, 2020 and not only obtained access to six years’ worth of information, but also began sending 2,000 phishing emails on July 1. SHIELD Act.

Passwords

Passwords Financial Services Authentication Insurance

DOL Puts Plan Sponsors and Other Fiduciaries on Notice: ERISA Requires Appropriate Precautions to Mitigate Cybersecurity Threats

Data Matters

APRIL 20, 2021

The Cybersecurity Guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) as well as plan participants and beneficiaries. The Cybersecurity Guidance is set forth in three parts: Tips for Hiring a Service Provider , directed toward plan sponsors and fiduciaries.

Cybersecurity

Cybersecurity Insurance Risk Compliance

New York Announces Proposed Cybersecurity Regulation to Protect Consumers and Financial Institutions

Hunton Privacy

SEPTEMBER 15, 2016

The proposed regulation requires regulated financial institutions to take various actions, including: adopting a written cybersecurity policy; establishing a cybersecurity program; designating a Chief Information Security Officer to oversee and enforce its new program and policy; and.

Cybersecurity

Cybersecurity Financial Services Insurance Information Security

Multinational ICICI Bank leaks passports and credit card numbers

Security Affairs

APRIL 20, 2023

In 2022, the ICICI Bank’s resources were named a “critical information infrastructure” by the Indian government – any harm to it can impact national security. However, despite the critical status of bank infrastructure on the national level, the security of crucial data was not ensured. million files belonging to ICICI Bank.

Personal data

Personal data Phishing Risk Financial Services

Iran-linked APT group Pioneer Kitten sells access to hacked networks

Security Affairs

SEPTEMBER 1, 2020

The Iranian hacker group has been attacking corporate VPNs over the past months, they have been hacking VPN servers to plant backdoors in companies around the world targeting Pulse Secure , Fortinet , Palo Alto Networks , and Citrix VPNs. . ” continues the report.

Access

Access Financial Services Retail Insurance

NYDFS settles with EyeMed for $4.5 million

Data Protection Report

OCTOBER 24, 2022

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. Those emails came to the attention of EyeMed’s IT department and also its customers, who complained.

Cybersecurity

Cybersecurity Personal data Risk Financial Services

New York Banking Regulator Announces New Cybersecurity Assessment Process

Hunton Privacy

DECEMBER 11, 2014

On December 10, 2014, the New York State Department of Financial Services (the “Department”) announced that it issued an industry guidance letter to all Department-regulated banking institutions that formally introduces the Department’s new cybersecurity preparedness assessment process.

Cybersecurity

Cybersecurity Financial Services Insurance Information Security

February 15 deadline looms for first DFS Cybersecurity Certification

Data Protection Report

FEBRUARY 8, 2018

February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. The certificate is to be submitted electronically at the DFS Web Portal.

Cybersecurity

Cybersecurity Financial Services Compliance Insurance

Maze ransomware gang discloses data from drug testing firm HMR

Security Affairs

APRIL 8, 2020

“Consider contacting CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. . “Consider contacting CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Source BleepingComputer. ” continues the notification.

Ransomware

Ransomware Data breaches Encryption Financial Services

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Data Protection Report

JANUARY 7, 2019

The two-year transitional period under the New York State Department of Financial Services (“DFS””) Cybersecurity Regulation , 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Additional guidance.

Cybersecurity

Cybersecurity Compliance Financial Services Risk

UK FCA Consults on Changes to Strong Consumer Authentication, Dedicated Interfaces, and Guidance on Payment Services

Data Matters

FEBRUARY 25, 2021

On January 28, 2021, the UK Financial Conduct Authority (FCA) published Consultation Paper CP21/3 , “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” (Consultation Paper). its Perimeter Guidance Manual (PERG). Temporary COVID Guidance. Safeguarding.

Authentication

Authentication Paper Risk Insurance

FTC Seeks Comment on Proposed Changes to GLBA Implementing Rules

HL Chronicle of Data Protection

MARCH 14, 2019

It includes general, high level elements of a security program, but lacks detailed security steps. The plan must enable FIs to promptly respond to and recover from security events affecting customer information. Finally, the plan must require evaluation and revisions to it as necessary following a security event.

Privacy

Privacy Risk Cybersecurity Information Security

Top GRC Tools & Software for 2021

eSecurity Planet

JANUARY 21, 2021

It includes multi-disciplinary risk and compliance management solutions and tools, including: IT & security risk management. LogicManager’s GRC solution has specific use cases across financial services, education, government, healthcare, retail, and technology industries, among others. IT governance and security.

Compliance

Compliance Risk Government Retail

Office of Foreign Assets Control: Making or Facilitating Ransomware Payments May Violate U.S. Sanctions

Data Matters

OCTOBER 8, 2020

Treasury’s Financial Crimes Enforcement Network (FinCEN), OFAC is sending a clear signal that making ransomware payments with a sanctions nexus threatens U.S. national security interests and that third-party service providers that facilitate ransomware payments on behalf of a victim must consider and ensure compliance with OFAC regulations.

Ransomware

Ransomware Compliance Risk Government

Top 10 Governance, Risk and Compliance (GRC) Vendors

eSecurity Planet

JANUARY 21, 2021

It includes multi-disciplinary risk and compliance management solutions and tools, including: IT & security risk management. LogicManager’s GRC solution has specific use cases across financial services, education, government, healthcare, retail, and technology industries, among others. IT governance and security.

Compliance

Compliance Risk Government Retail

HSBC Fined £3 Million ($5 Million) for Data Security Failings in UK

Hunton Privacy

JULY 22, 2009

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers’ confidential data. The fine is the highest to date in the UK and reflects a 30% discount for cooperating with the FSA.

Security

Security Insurance Data breaches Personal data

New York Enacts Stricter Data Cybersecurity Laws

Data Matters

AUGUST 5, 2019

Furthermore, although entities that already comply with the breach notification requirements under certain state or federal laws (such as the Health Insurance Portability and Accountability Act (HIPAA), the New York Department of Financial Services cybersecurity regulations (23 N.Y.C.R.R.

Cybersecurity

Cybersecurity Data breaches Privacy Risk

Sorting Through the Whirlwind of News on the Proposed Equifax Settlement and Capital One Breach

ARMA International

AUGUST 2, 2019

According to the FTC’s press release, the data breach included “names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.” To that end, the settlement also requires Equifax to “implement a comprehensive information security program.”

Cloud

Cloud Data breaches Encryption Access

Delaware Enacts New Data Destruction Law

Hunton Privacy

JULY 31, 2014

confidential health care information. Notably, a consumer’s information qualifies as “personal identifying information” if either his or her name or the accompanying data element is unencrypted at the time of disposal.

Financial Services

Financial Services Insurance Privacy Paper

CIPL and AvePoint Release Global GDPR Readiness Report

Hunton Privacy

NOVEMBER 10, 2016

Telecommunication and technology companies were the most represented respondents, followed by insurance and financial services companies, as well as pharmaceutical and healthcare companies. and less than half operate in South America and Asia.

GDPR

GDPR Data Privacy Compliance Privacy

China’s PIPL has finally arrived, and brings helpful clarification (rather than substantial change) to China’s data privacy framework

DLA Piper Privacy Matters

AUGUST 23, 2021

Government Access to/Disclosure of Personal Information Data controllers must not provide personal information stored within China to overseas legal or enforcement authorities unless approval is obtained from a China authority. This aligns with a similar provision in the new Data Security Law.

Data Privacy

Data Privacy Privacy Compliance Analytics

Cybersecurity: Managing Risks With Third Party Companies

Cyber Info Veritas

JULY 19, 2018

This is according to a recent survey conducted by Soha Systems, and according to one of the speeches delivered by the Superintendent of the New York State Department of Financial Services, Mr. Benjamin Lawsky, “ A company’s cybersecurity is only as strong as the cybersecurity of its third-party vendors ”.

Risk

Risk Cybersecurity Compliance Data breaches

Toyota Financial Services discloses a data breach

Medusa ransomware gang claims the hack of Toyota Financial Services

Trending Sources

Vermont Enacts Insurance Data Security Law

New York Department of Financial Services Issues First Guidance by a U.S. Regulator Concerning Cyber Insurance

Historic Charges: First Enforcement Action Filed by New York Department of Financial Services Under Cybersecurity Regulation

American Insurance firm State Farm victim of credential stuffing attacks

First American Financial Pays Farcical $500K Fine

NYDFS Updates Its Cybersecurity Regulation to Protect Against Growing Cyber Threats

A massive DDoS attack took down the site of the German financial agency BaFin

Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

NYDFS settles cybersecurity regulation matter for $1.8 million

Security Compliance & Data Privacy Regulations

U.S. banking regulators order banks to notify cybersecurity incidents in 36 hours

FTC Seeks Comment on Proposed Changes to its GLBA Safeguards and Privacy Rules

New York State Expected to Increase Enforcement of Cybersecurity Practices

SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned

BEST PRACTICES: Rising complexities of provisioning identities has pushed ‘IGA’ to the fore

U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks

Oracle Critical Patch Update for January 2022 will fix 483 new flaws

Ransomware infected systems at Xchanging, a DXC subsidiary

NYDFS settles cybersecurity regulation matter for $3 million

A massive phishing campaign using QR codes targets the energy sector

New York SHIELD Act $600,000 settlement

DOL Puts Plan Sponsors and Other Fiduciaries on Notice: ERISA Requires Appropriate Precautions to Mitigate Cybersecurity Threats

New York Announces Proposed Cybersecurity Regulation to Protect Consumers and Financial Institutions

Multinational ICICI Bank leaks passports and credit card numbers

Iran-linked APT group Pioneer Kitten sells access to hacked networks

NYDFS settles with EyeMed for $4.5 million

New York Banking Regulator Announces New Cybersecurity Assessment Process

February 15 deadline looms for first DFS Cybersecurity Certification

Maze ransomware gang discloses data from drug testing firm HMR

Transition period under New York Cybersecurity Regulation ends March 1, 2019

UK FCA Consults on Changes to Strong Consumer Authentication, Dedicated Interfaces, and Guidance on Payment Services

FTC Seeks Comment on Proposed Changes to GLBA Implementing Rules

Top GRC Tools & Software for 2021

Office of Foreign Assets Control: Making or Facilitating Ransomware Payments May Violate U.S. Sanctions

Top 10 Governance, Risk and Compliance (GRC) Vendors

HSBC Fined £3 Million ($5 Million) for Data Security Failings in UK

New York Enacts Stricter Data Cybersecurity Laws

Sorting Through the Whirlwind of News on the Proposed Equifax Settlement and Capital One Breach

Delaware Enacts New Data Destruction Law

CIPL and AvePoint Release Global GDPR Readiness Report

China’s PIPL has finally arrived, and brings helpful clarification (rather than substantial change) to China’s data privacy framework

Cybersecurity: Managing Risks With Third Party Companies

Stay Connected