Infosys announced that its subsidiary, Infosys McCamish Systems (IMS), has reached an agreement with the US State of Vermont's Department of Financial Regulation (DFR). This agreement, known as a stipulation and consent order, resolves issues related to a cyber incident without requiring a hearing. IMS is obligated to pay a USD 125,000 administrative penalty within 30 days of the order's entry by the Commissioner.

In March 2025, Infosys had previously communicated that IMS would settle six class action lawsuits in the US concerning a 2023 cyber incident. As part of this settlement, IMS agreed to contribute USD 17.5 million to a fund addressing these lawsuits. The recent agreement with Vermont's DFR is another step in resolving legal matters linked to cybersecurity breaches.

Stipulation and Consent Order Details

The stipulation and consent order is essentially a legal agreement where involved parties agree on terms to settle or resolve a case without further litigation. This approach allows for a resolution without proceeding to court hearings, providing a quicker and often less contentious solution.

According to Infosys' filing, DFR accused IMS of breaching the Vermont Security Breach Notice Act. The allegations included failing to provide timely and accurate information during an investigation into the cybersecurity event and not notifying data owners promptly about the incident.

Allegations and Resolution

Despite entering into the stipulation and consent order, IMS has not admitted to any alleged violations. The order explicitly states that IMS does not acknowledge the existence of these violations. This resolution allows both parties to move forward without further legal proceedings.

Infosys McCamish Systems' decision to enter into this agreement reflects their commitment to resolving outstanding issues related to cybersecurity incidents efficiently. By settling these matters, they aim to focus on enhancing their cybersecurity measures and maintaining trust with stakeholders.

The resolution with Vermont's DFR highlights the importance of timely communication and transparency in handling cybersecurity incidents. Organisations are increasingly held accountable for how they manage data breaches and communicate with affected parties.

This development underscores the ongoing challenges companies face in managing cybersecurity risks and regulatory compliance. As cyber threats evolve, businesses must continually adapt their strategies to protect sensitive information and maintain regulatory standards.

With inputs from PTI