Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
Enforcement takeaways (according to DFS allegations in the Consent Order with PayPal): • NYDFS found customer data was exposed after PayPal implemented changes to make 1099-K forms available to more of its customers, after teams tasked with implementing these changes failed to follow proper procedures before the changes went live. • Malicious actors leveraged compromised credentials to … Read more
Two new cybersecurity enforcement actions from NYDFS, against GEICO and Travelers Indemnity Co. Enforcement takeaways are (according to DFS allegations): • GEICO experienced three cybersecurity events in a short period of time primarily involving customer interfaces for obtaining quotes and submitting claims and the web portal for GEICO agents, allowing threat actors to obtain driver license … Read more
Speaking at the Institute of International Bankers Annual Conference in DC, Superintendent Harris discussed the following: • CHARACTER AND FITNESS FOR BANKING EXECS: Superintendent Harris responded to “the buzz” about this recent DFS guidance, saying it should be unsurprising that regulated banks would want to screen out personnel in sensitive positions with criminal records, dire financial problems, … Read more
NYDFS penalized Genesis Global Trading, a licensee that served primarily as an OTC trading shop, $8MM for cybersecurity, BSA/AML, and Consumer Protection violations. Genesis Global has now surrendered its license, apparently after having ceased trading activity some time ago. According to DFS allegations: • Genesis Global did not conduct an enterprise-wide risk assessment until 2022, despite … Read more
My latest post on the blog for the NYU Program on Corporate Compliance and Enforcement deals with enforcement aspects of the recent amendments to the NYDFS Cybersecurity Regulation, Part 500. These recent amendments to the Cybersecurity Regulation (Part 500) of the New York State Department of Financial Services (NYDFS) are quite expansive in scope.[1] Chief Compliance … Read more
According to the strategy released by New York governor Kathy Hochul: “Financial Sector[:] In 2017, the New York State Department of Financial Services (DFS) became the first banking or insurance regulator in the nation to establish a cybersecurity division to protect consumers and industries from cyber threats. DFS also created first-in-the-nation requirements for DFS-regulated banks, … Read more
Harriet Pearson has been appointed Executive Deputy Superintendent for Cybersecurity by Superintendent Adrienne A. Harris, following the departure of Justin Herring. Announcement here.
NYDFS entered into a Consent Order for alleged cybersecurity violations against wealth management firm SA Stone, which sells insurance products to customers. According to DFS allegations: • SA Stone is an independent broker/dealer focusing on wealth management, holding licenses to sell insurance to its customers in New York. • SA Stone experienced several reportable cybersecurity breaches arising … Read more
NYDFS continues to roll out enforcement actions for cybersecurity lapses. The latest is with lender OneMain. According to NYDFS allegations in its Consent Order: • This is the second cybersecurity enforcement action to arise from a routine examination, instead of a Cybersecurity Event. • Meaning, as noted before, these enforcement actions are now routine. • Third Party Risk … Read more
NYDFS issued an enforcement action against bitFlyer USA, Inc., a cryptocurrency exchange, obtaining a $1.2 million penalty. Takeaways from DFS allegations: • No specific cyber event was involved – enforcement was based on violations identified over two examination cycles • This suggests cybersecurity is now well integrated into the DFS examination process • Core violations included the lack … Read more