NYDFS issued Cybersecurity Enforcement Action No. 3 on April 14, 2021; here’s what you need to know from the Consent Order:
• National Securities, a life insurance/annuity provider, suffered four breaches between 2018 and 2020 exposing NPI – all from phishing.
• Although required to have implemented multi-factor authentication no later than March 2018, the company did not have it in place for its e-mail environment until August 2020.
• While notifying other government agencies of the cyber breaches, the company on two occasions failed to notify NYDFS of the breaches within 72 hours, as required.
• The Order specifically finds that the company “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” The findings do not suggest the level of intent behind this false certification or whether any other consequences are to follow.
• Issued under Financial Services Law Section 408, the company must pay a civil penalty of $3 million and continue to remediate and report to NYDFS. Notably, there is no finding as to the number of violations underlying the penalty; instead there are merely three separate subsections of the regulation that are cited as violations of law.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/04/ea20210412_national_securities_corp.pdf