Lessons learned from EyeMed’s costly $4.5 million failed risk assessment

In October 2022, the New York State Department of Financial Services (NYDFS) ordered EyeMed Vision Care, a Cincinnati, Ohio-based vision benefits company, to pay a $4.5 million fine for failing to conduct a necessary risk assessment and violating NYDFS cyber rules. So, what was EyeMed’s mistake? The insurance firm fell short on implementing a multifactor authentication process for its email system – a costly mistake. After what is believed to be a successful email phishing campaign, an unauthorized individual had access to an EyeMed email account for seven days, during which they were able to view six years’ worth of sensitive data.  CISA’s Bad Practices Guide classifies lack of multifactor authentication as one of three ‘exceptionally risky’ practices alongside the use of unsupported (or end-of-life) software and use of known, fixed or default passwords and credentials.

This also was not EyeMed’s first regulatory punishment due to bad cyber security practices. Earlier this year the firm was fined $600,000 for a data breach in 2020 which exposed the information of 2.1 million customers. The NYDFS is now demanding that EyeMed conduct a risk assessment in the next three months and provide the regulator with a clear plan to improve its cyber security practices and avoid such mistakes in the future – akin to being put on a performance plan for not meeting expectations.

Regulators have been turning up the pressure on financial firms when it comes to adequate cyber security measures and have repeatedly highlighted the importance of conducting risk assessments. This latest fine demonstrates how non-compliance is not an option for organizations. When regulators set rules and expectations, firms must comply. Anything less puts firms at financial risk and exposes them to reputational damage in the industry.

NYDFS is not the only body prompting firms to clean up their cyber act. Regulators including the U.S. Securities and Exchange Commission (SEC) are becoming increasingly prescriptive when it comes to cybersecurity guidance. The SEC recently named April 2023 as a date for final action of its changing cybersecurity regulation, proposing rules to ‘enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting’.  In March of this year, the regulator also made clear its commitment to operational resilience in its 2022 Examination Priorities. Across the pond, the European Union (EU) negotiated a deal to protect the European financial system against cyberattacks. And in the UK, the Bank of England found that cyber-attacks remain the most critical risk to the stability of the UK financial system.

It’s important for firms to learn lessons from others’ mistakes. EyeMed’s error in implementing safe cybersecurity practices (twice) has cost the firm over $5 million in fines – and much more in terms of negative press and reputational damage. As regulators provide firms with a clear prescription for cyber safety, firms must follow it.

In the end, ongoing regulatory advice boils down to creating and implementing cybersecurity risk management programs that put continuous vulnerability management and regular risk assessment at its center. The most sophisticated technology alone cannot protect a firm against cyber criminals – especially if the firm lacks robust employee training and ‘basic hygiene’ cyber security practices like multifactor authentication. Remember: regulators will not take kindly to your firm falling victim to an easily preventable attacks.

Unsure where to start when it comes to regulatory compliance or worried about an unauthorized individual lurking in your systems? Check out Drawbridge’s regulatory assessment offering, or speak with our team to discuss how your firm can improve its cybersecurity risk management program.

Reach out to us today