Cyber Incident Victim: Wilton Reassurance Life Company of New York

A data security incident involving Wilton Reassurance Life Company of New York was part of a larger series of breaches impacting the insurance sector, which were publicly addressed by the Delaware Department of Insurance in a consumer alert update on July 24, 2023. The incident was linked to a widespread compromise of the MOVEit file transfer service system, a third-party application utilized by vendors serving numerous insurance companies. The event occurred on or around June 26, 2023, as this was the date referenced in the initial consumer alert from the Delaware Department of Insurance that first discussed the MOVEit breach and its implications for insurers and their customers.

The breach was not an isolated event targeting Wilton Reassurance Life Company of New York specifically but rather a mass exploitation of a vulnerability in the MOVEit software, which is widely used for secure file transfers. This vulnerability was exploited by malicious actors to gain unauthorized access to systems and exfiltrate data. The incident impacted Wilton Reassurance Life Company of New York through its engagement with a third-party vendor that used the vulnerable MOVEit system. The specific vendor involved was not named in the provided information. The compromised data resided on systems managed by this third-party service provider, not necessarily on systems directly owned or operated by the insurer itself.

The scope of the incident for Wilton Reassurance Life Company of New York, in terms of specific data elements exfiltrated, was not detailed in the available source material. However, the nature of the breach and the entities involved indicate that personal information belonging to agents, policyholders, and beneficiaries was the primary target. The total number of individuals affected across all insurers listed by the Delaware Department of Insurance exceeded 37,500. This figure represents the aggregate impact on Delaware residents from multiple insurers and their vendors; the specific number of Delaware residents affected by the Wilton Reassurance Life Company of New York incident was not broken out separately in the provided article.

In response to the cybersecurity event, the actions taken were governed by legal and regulatory requirements. Delaware’s Insurance Data Security Act, passed in 2019, was triggered by this breach. This law mandates specific protocols for insurers and their vendors following a data security event. The required response actions included an immediate investigation into the nature and scope of the cybersecurity event. This investigation was necessary to determine the extent of the unauthorized access and to identify the specific information systems and data that were compromised. A parallel requirement was the correction of the compromised information systems to address the vulnerability and prevent further unauthorized access or exfiltration.

A detailed reporting obligation was imposed on the involved entities. Insurers, including Wilton Reassurance Life Company of New York, and their affected third-party vendors were required to provide a comprehensive report to the Delaware Insurance Commissioner. This report would detail the findings of their investigation, the corrective measures taken, and the full scope of the impact on consumer data. Furthermore, the Act mandated that notification be provided to affected consumers. This notification was required to occur within 60 days of the insurer determining that a cybersecurity event had occurred, unless a federal law or a request from a law enforcement agency necessitated a modified timeline for such disclosure.

The consumer notification was required to include specific remedial offerings. Affected individuals were to be provided with credit monitoring services at no cost to them. The mandated period for these services was for at least one year. The notification also had to include information and instructions for consumers on how to freeze their credit with the major credit bureaus as a protective measure against potential identity theft or fraud resulting from the exposure of their personal information.

The regulatory oversight of the incident response was led by the Delaware Department of Insurance under Commissioner Trinidad Navarro. The department confirmed it would investigate the situation thoroughly. This investigation was to be conducted by the department's Market Conduct staff, who were expected to work alongside investigators from other states in a coordinated effort. A key objective of this regulatory investigation was to assess whether appropriate safeguards for the handling of consumer data were in place at the time of the breach, as required by the Insurance Data Security Act. The department possesses the authority to investigate violations of the Act and to levy penalties accordingly if its provisions were not followed.

The public response from regulatory officials emphasized the seriousness of the breach. Insurance Commissioner Navarro publicly encouraged affected consumers to protect their identities by utilizing the offered credit and identity protection services. He reassured residents that the breach was being taken very seriously and would be investigated thoroughly. The incident underscored the systemic risk posed by vulnerabilities in third-party software and service providers upon which critical industries like insurance rely for daily operations and data management. The widespread impact of the MOVEit exploitation affected numerous companies beyond the insurance sector, making it a significant cybersecurity event. The response to the Wilton Reassurance Life Company of New York incident was therefore part of a larger, coordinated effort to address the consequences of a major supply chain attack.