Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
According to the strategy released by New York governor Kathy Hochul: “Financial Sector[:] In 2017, the New York State Department of Financial Services (DFS) became the first banking or insurance regulator in the nation to establish a cybersecurity division to protect consumers and industries from cyber threats. DFS also created first-in-the-nation requirements for DFS-regulated banks, … Read more
Harriet Pearson has been appointed Executive Deputy Superintendent for Cybersecurity by Superintendent Adrienne A. Harris, following the departure of Justin Herring. Announcement here.
NYDFS entered into a Consent Order for alleged cybersecurity violations against wealth management firm SA Stone, which sells insurance products to customers. According to DFS allegations: • SA Stone is an independent broker/dealer focusing on wealth management, holding licenses to sell insurance to its customers in New York. • SA Stone experienced several reportable cybersecurity breaches arising … Read more
NYDFS continues to roll out enforcement actions for cybersecurity lapses. The latest is with lender OneMain. According to NYDFS allegations in its Consent Order: • This is the second cybersecurity enforcement action to arise from a routine examination, instead of a Cybersecurity Event. • Meaning, as noted before, these enforcement actions are now routine. • Third Party Risk … Read more
NYDFS issued an enforcement action against bitFlyer USA, Inc., a cryptocurrency exchange, obtaining a $1.2 million penalty. Takeaways from DFS allegations: • No specific cyber event was involved – enforcement was based on violations identified over two examination cycles • This suggests cybersecurity is now well integrated into the DFS examination process • Core violations included the lack … Read more
NYDFS penalized payment platform Bitpay for alleged violations of its regulations governing BSA/AML requirements and cybersecurity obligations. Here are some hot takes from DFS’ allegations set forth in its Consent Order: • Bitpay provides a payment platform for merchants wanting to receive Bitcoin payments; • Bitpay conducted only one cybersecurity risk assessment over a 4-year period; • Bitpay … Read more
NYDFS issued an enforcement action against Coinbase Inc., alleging a variety of compliance failures. Some details: – $50MM penalty; $50MM commitment spend on compliance; Continuation of Independent Monitor – “During much of the relevant period, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate. Coinbase treated customer onboarding requirements as a … Read more
NYDFS entered into another cybersecurity Consent Order, this time with TTEC Healthcare Solutions, Inc. an insurance broker. Cybersecurity actions have become one of the agency’s most common types of enforcement actions. This one carries a $1.9 Million penalty; some takeaways from DFS allegations include: • TTEC failed to implement adequate multi-factor authentication. • TTEC completely failed to … Read more
NYDFS Proposed amendments to its Cybersecurity Regulation, “Part 500.” According to DFS, the amendments include: – Creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. – Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels. – Additional controls to … Read more
The Wall Street Journal has reported that amendments to Part 500, the NYDFS Cybersecurity Regulation, could by issued by the agency in the near future. From the WSJ article: “”Last week’s consent order, one of three multimillion-dollar cybersecurity settlements NYDFS has reached in recent months, comes as the agency prepares to propose regulatory updates that … Read more