Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
NYDFS entered into another cybersecurity Consent Order, this time with TTEC Healthcare Solutions, Inc. an insurance broker. Cybersecurity actions have become one of the agency’s most common types of enforcement actions. This one carries a $1.9 Million penalty; some takeaways from DFS allegations include: • TTEC failed to implement adequate multi-factor authentication. • TTEC completely failed to … Read more
NYDFS Proposed amendments to its Cybersecurity Regulation, “Part 500.” According to DFS, the amendments include: – Creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. – Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels. – Additional controls to … Read more
The Wall Street Journal has reported that amendments to Part 500, the NYDFS Cybersecurity Regulation, could by issued by the agency in the near future. From the WSJ article: “”Last week’s consent order, one of three multimillion-dollar cybersecurity settlements NYDFS has reached in recent months, comes as the agency prepares to propose regulatory updates that … Read more
NYDFS has taken another cybersecurity enforcement action, this time against vision insurance company EyeMed. NYDFS leveled a $4.5 million penalty against the company. From its findings: “The Department’s investigation revealed that as a result of a July 1, 2020 phishing attack, a bad actor gained access to a shared EyeMed email mailbox which contained over … Read more
The scope of NYDFS jurisdiction is an oft-debated issue for regulated and non-regulated entities alike. To better understand how NYDFS views its jurisdiction and mission, its worth re-reading these findings from its Consent Order against Robinhood Crypto. “[I]t is worth beginning with the Department’s observation that RHC’s overall approach to its compliance obligations substantially contributed … Read more
According to a CFPB Circular, the CFPB seeks to further muscle into the cybersecurity enforcement space, and it encourages State AG’s to do so as well, saying: “Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.” State AG’s … Read more
NYDFS issued what it called a “Pre-Proposed Outreach” for Proposed Amendments to Its Cybersecurity Regulation. The changes are significant and in some sense more prescriptive. Comments are due August 8; to be followed by the actual proposed rulemaking under the state Administrative Procedure Act and a 60-day comment period. The NYDFS Pre-Proposal is available here: … Read more
NYDFS has issued its first enforcement action against one of its regulated cryptocurrency entities. Enforcement takeaways: $30 million penalty is significant. Alleged violations include BSA/AML; Cybersecurity; Reporting; and Consumer Protection. The Department alleged adequate resources were not devoted to RHC’s compliance programs, particularly as it grew, which exacerbated compliance issues. Robinhood improperly certified compliance with … Read more
More cybersecurity enforcement from NYDFS, this time against Carnival Cruise Lines. Enforcement takeaways: Carnival Cruise Lines paid $5 million and surrendered its license to be an insurance broker in New York. It had sold life, accident and health insurance to cruise customers. NYDFS alleged “significant” violations, including: Failure to implement multi-factor authentication; Failure to timely … Read more
NYDFS held the first of three webinars marking the 5th anniversary of adoption of its Cybersecurity Regulation, known as “Part 500.” The webinar featured from NYDFS Justin Herring, Executive Deputy Superintendent for Cybersecurity, William Petersen, Assistant Deputy Superintendent for Cybersecurity Supervision, and Robert Francis, its CIO. Some takeaways: The Cybersecurity Division has now grown to … Read more