Three years after New York’s expansive Cybersecurity Regulation went into effect, the state’s Department of Financial Services (DFS) has brought its first enforcement action, charging First American Title Insurance Co. for its handling of a vulnerability that allowed easy access to over 65 million documents containing individuals’ bank account and other sensitive non-public information. The DFS alleges that the insurer violated its obligations to safeguard the data by failing to adequately assess the security risks around its trove of documents, then conducting “a preposterously minimal review” once it became aware of the problem. In this article, we detail the relevant allegations and provide insights from lawyers at ACA Aponix, BakerHostetler, Debevoise & Plimpton, Freshfields and Hogan Lovells about DFS’ enforcement approach and compliance lessons for companies. See “How Is COVID-19 Affecting Cybersecurity Risk, Readiness, Reporting and NYDFS Enforcement?” (Apr. 22, 2020).