Theodore Augustinos

Subscribe to Theodore Augustinos's Posts
Contact:Read more about Theodore Augustinos

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.Read More NY DFS Hosts Webinar on MFA Requirements

Key Point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.Read More Important Guidance on Third-Party Service Provider Cyber Risk

The Connecticut Insurance Department issued a revised Notice to All Entities and Persons Licensed by the Connecticut Insurance Department concerning the Usage of Big Data and Avoidance of Discriminatory Practices (available here).  The Notice, issued April 20, 2022, reminds “all entities and persons licensed by the Department that the Department continues to expect such entities and persons to use technology and Big Data in full compliance with anti-discrimination laws and have completed the [annual] data certification….”
Read More Big Data for Insurers: Clarity about the New Connecticut Requirements

Vermont Governor Scott signed the Vermont Insurance Data Security Law (available here) (the “VIDSL”), becoming the 21st state to adopt a cybersecurity statute based on the National Association of Insurance Commissioners Insurance Data Security Model Law (NAIC Model 668). 
Read More NAIC Insurance Data Security Model Law Update: Vermont Becomes 21st State

On December 7, 2021, the New York Department of Financial Services (“NY DFS”) released an industry letter providing guidance on Multi-Factor Authentication (“MFA”).   MFA, which requires users of information systems to provide an additional “factor,” often through a one-time code or push notification to their mobile device, in addition to their password when accessing information systems.
Read More NY DFS Releases Guidance on Multi-Factor Authentication

The New York Department of Financial Services (NYDFS) has now released a pair of alerts on the increase in cyberattacks on public facing insurance websites that provide instant quoting services to customers.  If you provide instant online quoting through your website, it is imperative that you review your system’s security and the methods you use to provide instant quotes.
Read More NYDFS Alerts Insurance Industry on Cyber Threats to Auto Quote Functions

Hartford Office Managing Partner Ted Augustinos authored an article for Best’s Review detailing privacy and cybersecurity issues that have arisen for insurers and producers as a result of employees working remotely due to the COVID-19 pandemic. For companies that likely have not previously had their entire workforce working remotely simultaneously, it is important to revisit risk assessments and evaluate technical and administrative safeguards, he explains.
Read More Home Sweet Workplace?

Reminding NY DFS regulated entities that its Cybersecurity Regulation (23 NYCRR Part 500) requires ‎assessment of cybersecurity risk, and the reporting of certain cybersecurity events within 72 hours, ‎the DFS issued guidance specific to the current COVID-19 pandemic. The DFS guidance is appropriate ‎for any business, whether or not subject to the NY Regulation.‎
Read More NY DFS Issues Guidance to Regulated Entities for Cybersecurity in the Remote Work Environment

The long-awaited amendments to the California Consumer Privacy Act of 2018 (CCPA) have finally become law. On October 11, 2019—two days before the October 13 deadline—California Governor Gavin Newsom announced that he signed all of the California Legislature’s September 2019 amendments to the CCPA: AB-25, AB-874, AB-1146, AB-1355, and AB-1564.
Read More CCPA Amendments Are In! Draft CCPA Regulations Are Out!