{"id":229539,"date":"2026-06-10T14:30:00","date_gmt":"2026-06-10T18:30:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/what-a-2-25m-ny-cybersecurity-settlement-means-for-businesses-your-4-step-action-plan-fisher-phillips\/"},"modified":"2026-06-10T14:40:10","modified_gmt":"2026-06-10T18:40:10","slug":"what-a-2-25m-ny-cybersecurity-settlement-means-for-businesses-your-4-step-action-plan-fisher-phillips","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/what-a-2-25m-ny-cybersecurity-settlement-means-for-businesses-your-4-step-action-plan-fisher-phillips\/","title":{"rendered":"What a $2.25M NY Cybersecurity Settlement Means for Businesses: Your 4-Step Action Plan | Fisher Phillips"},"content":{"rendered":"

What a $2.25M NY Cybersecurity Settlement Means for Businesses: Your 4-Step Action Plan | Fisher Phillips<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/what-a-2-25m-ny-cybersecurity-5145998\/<\/a><\/p>\n

Publish Date: 2026-06-10 14:30:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. \u200b<\/p>\n

A recent $2.25 million settlement between an insurance company and the state of New York presents a cautionary tale for businesses in the Empire State. The New York State Department of Financial Services (NYDFS) found that the company\u2019s incident response plan was inadequate and allowed threat actors to access New Yorkers\u2019 personal information. Settlements between state cyber regulators and impacted organizations are often the result of the organizations\u2019 missteps following a breach. In this case, NYDFS not only found that the company failed to meet reporting requirements following a cyber incident, but also that its preventative measures were deficient. Here\u2019s why that\u2019s important and what your organization should do to avoid similar sanctions.<\/p>\n

The Significance of the Settlement<\/p>\n

The insurance company agreed to settle the state\u2019s claims after an NYDFS investigation concluded that the insurance company\u2019s preventative cybersecurity policies and practices that were in place before the breach failed to satisfy the state\u2019s regulatory threshold. The state also found that the company failed to report the breach to officials in a timely manner. NY\u2019s Cybersecurity Regulation requires covered entities to notify regulators of a cybersecurity incident \u201cpromptly\u201d and no later than 72 hours after a determination that a reportable event has occurred.<\/p>\n

Specifically, the state said the insurance company\u2019s cybersecurity posture did not meet requirements related to retention settings, controls, procedures, and policies that exist to protect the information systems and consumer data of regulated financial institutions, according to the April 30 settlement.<\/p>\n

Key issues identified by investigators:<\/p>\n

\tNo set policies or procedures for the periodic and secure disposal of non-public information that is no longer necessary for business operations or for other legitimate business purposes.
\n\tNo written or implemented policy addressing incident response.
\n\tDidn\u2019t maintain an incident response plan that sufficiently addressed their reporting obligations to regulators.<\/p>\n

The NYDFS acknowledged that the company cooperated throughout the investigation, promptly investigated the cybersecurity event, and continued to resolve the issues identified.<\/p>\n

What This Means for Your Organization<\/p>\n

As cyber incidents become more common, regulators are focusing on organizations that handle personal information. The growing expectation is that entities will implement best practices and adhere to regulatory guidance before attacks happen. The settlement secured by NYDFS is one example showing that policymakers are becoming more aggressive in enforcement when minimum requirements don\u2019t appear to be met.<\/p>\n

Your 4-Step Action Plan<\/p>\n

To help insulate your organization from potential cybersecurity compliance headaches, consider taking these four steps:<\/p>\n

1. Audit Your Incident Response Plan (IRP): Many organizations have IRPs, but they\u2019re static documents that are only as current as the date of their most recent publication. Data protection and cybersecurity regulations are constantly evolving, and it\u2019s important that your IRP reflects that. Frequent (annual) reviews and audits of your incident response plans are recommended. Be sure to consult with external advisors who are aware of the most current guidance and can review your plans for compliance.<\/p>\n

2. Communicate with Regulators: When zero-day vulnerabilities are identified by vendors, they sometimes alert regulators. Regulators will often communicate this information to entities under their jurisdiction that are likely to use the vendors\u2019 products, as was the case in this investigation and settlement. Having open channels of communication and maintaining good working relationships with cyber regulators makes it more likely that you\u2019ll receive useful instructions and guidance.<\/p>\n

3. Track Regulatory Developments: The regulation at issue in this settlement became effective in March 2017 and was amended in November 2023. As new rules are implemented at a rapid pace, it can be difficult for in-house CISOs and GCs to keep up with changes, especially if your organization operates in multiple jurisdictions.<\/p>\n

4. Adhere to Reporting Requirements: Addressing and mitigating a breach is intense work. The regulatory notification clock can run out before you may realize, which can support fines even without intent to delay or conceal. Retaining counsel early adds bandwidth and shifts this work to a team that handles these issues routinely.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

What a $2.25M NY Cybersecurity Settlement Means for Businesses: Your 4-Step Action Plan | Fisher…<\/p>\n","protected":false},"author":1,"featured_media":229540,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.7295_0824.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-229539","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229539"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229539"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229539\/revisions"}],"predecessor-version":[{"id":229541,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229539\/revisions\/229541"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229540"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}