b'CYBERSECURITY & DATA PRIVACY|REGULATIONit expected regulated entities to implement tostated that NYDFS recommends that victims of combat this cybercrime spree.ransomware do not pay ransoms because doing will not guarantee that an institution will get its data April 19, 2021Cyber Fraud Alert Follow-Up:back or that bad actors will not use that stolen data New York Insurance Identification (ID) Card Barcode Vulnerability: in the future.In another follow-up alert, the NYDFS specified thatOctober 22, 2021Guidance Regarding the Adoption the recent cybercrime campaign was focused onof an Affiliates Cybersecurity Program:stealing consumers drivers license numbers fromThe NYDFS issued guidance on the ability of a automobile insurers. Therefore, the NYDFS urgedCovered Entity under the Cybersecurity Regulation auto insurers to void or block any transaction whereto adopt an affiliates cybersecurity program. The the drivers license number that was input by aNYDFS emphasized that while a Covered Entity consumer does not match the drivers licensemay adopt an affiliates cybersecurity program in number provided by the auto insurers third-partywhole or in part, the Covered Entity may not data vendor. The NYDFS also stated that autodelegate responsibility for compliance with the insurers should continuously monitor and assessCybersecurity Regulation to an affiliate. Therefore, transactions involving e-checks and EFTs toa Covered Entity needs to ensure that the determine whether the transactions are comingcybersecurity program of its affiliate is compliant from financial service institutions that were notwith the Cybersecurity Regulation. Further, the commonly used in the past and to consider blockingNYDFS emphasized that if a Covered Entity is transactions from these institutions. relying on an affiliates cybersecurity program, it June 30, 2021Guidance on Ransomware Prevention: must ensure that the NYDFS has sufficient access From January 2020 through May 2021, NYDFS- to the requisite documentation and information to regulated companies reported 74 ransomwareassess the Covered Entitys compliance with the attacks to the NYDFS. This prompted the NYDFS toCybersecurity Regulation.issue guidance specific to ransomware attacks. InDecember 7, 2021Guidance on Multi-Factor June 2021, NYDFS issued guidance on ransomwareAuthentication:attacks against regulated financial institutions,The NYDFS reiterated the importance of using including New York insurance licensees. In additionmulti-factor authentication as an essential to listing specific security controls that can addresscybersecurity control. The NYDFS then went on to each of the weaknesses commonly exploited bylist common problems related to the ransomware criminals, the guidance stated that allimplementation of effective multi-factor ransomware attacks should be promptly reported toauthentication and provided recommendations for NYDFS, and that NYDFS would follow up on allways to address these problems. ransomware reports to collect information such as the details of the forensic investigation, whether aFinCEN Guidance on Ransomwareransom was paid, and the incidents impact onIn November 2021, the Federal Financial Crimes sensitive data and company operations. It alsoEnforcement Network (FinCEN) released an 136|Global Insurance Industry Year in Review 2021'