Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
NYDFS has issued its first enforcement action against one of its regulated cryptocurrency entities. Enforcement takeaways: $30 million penalty is significant. Alleged violations include BSA/AML; Cybersecurity; Reporting; and Consumer Protection. The Department alleged adequate resources were not devoted to RHC’s compliance programs, particularly as it grew, which exacerbated compliance issues. Robinhood improperly certified compliance with … Read more
More cybersecurity enforcement from NYDFS, this time against Carnival Cruise Lines. Enforcement takeaways: Carnival Cruise Lines paid $5 million and surrendered its license to be an insurance broker in New York. It had sold life, accident and health insurance to cruise customers. NYDFS alleged “significant” violations, including: Failure to implement multi-factor authentication; Failure to timely … Read more
NYDFS held the first of three webinars marking the 5th anniversary of adoption of its Cybersecurity Regulation, known as “Part 500.” The webinar featured from NYDFS Justin Herring, Executive Deputy Superintendent for Cybersecurity, William Petersen, Assistant Deputy Superintendent for Cybersecurity Supervision, and Robert Francis, its CIO. Some takeaways: The Cybersecurity Division has now grown to … Read more
In light of the Russian invasion of Ukraine, NYDFS issued an advisory concerning compliance issues relating to cybersecurity, cryptocurrency and sanctions. Press release found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20220225_ukraine_escalation_impact_financial
NYDFS Superintendent Adrienne A. Harris sat down for a fireside chat with the Brookings Institution’s Center on Regulation and Markets. Here are some takeaways: – On Enforcement: NYDFS will be focusing enforcement on “kitchen table” issues. – On Cybersecurity: NYDFS is working on updating and improving its cybersecurity regulation. – On Climate Change: NYDFS will … Read more
Multi-Factor Authentication (MFA) is a core tenet of cybersecurity and recent NYDFS enforcement actions have highlighted such deficiencies. NYDFS issued guidance on compliance with Part 500 regarding MFA, an important read, which may be found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211207_mfa_guidance
Cyber-enforcement by NYDFS and others is only going to get more intense. I had the good fortune to sit down virtually with journalist Elizabeth Blosfield of the Insurance Journal to discuss ramped up enforcement by NYDFS in cybersecurity on the Insuring Cyber Podcast.
The link to the podcast episode can be found here: https://www.insurancejournal.tv/videos/19537/
Matthew Levine writes in the New York Law Journal article about “Cybersecurity Enforcement Activity From NYDFS Fashions Regulatory Expectations and Suggests More Enforcement Is To Come”, which updates developments in cybersecurity enforcement by NYDFS. The article may be found here: NYLJ-DFS-CYBERSECURITY-ENFORCEMENT-LEVINE
On May 12, 2021, NYDFS issued another Cybersecurity enforcement action vs. Unum Life and Paul Revere Life. What you need to know from the findings in the Consent Orde (yes, another settlement):
• The companies must pay a $1.8 million penalty, & conduct remediation and an independent third-party audit
• The relevant Cybersecurity Events occurred in September 2018 and October 2019 – both phishing intrusions; dozens of employee email accounts compromised and NPI of New Yorkers and others made accessible
• The companies did not have effective multi-factor authentication (MFA) in place for the e-mail environment until August 2019, long after the Mar 2018 deadline
• The Consent Order specifically finds the companies “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” Still, there is no suggestion concerning the actual level of intent underlying false certification, or whether any other consequences flow.
• There is no specific finding regarding the number of violations underlying the penalty; NYDFS finds two subsections of the regulation as violations of law.
• ENFORCEMENT TAKEAWAY: A big focus on MFA is emerging. If an entity did not implement effective MFA by March 2018, a subsequent Cybersecurity Event involving access to non public information (NPI) is a likely enforcement target. Additionally, the insurance industry remains in focus.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/05/ea20210512_first_unum.pdf
On April 27, 2021 NYDFS issued a report on the SolarWinds attack and regulated entities’ response. Per interactions with 100 regulated entities it found that:
• Some NYDFS licensees actually detected the attack before it became public but didn’t share
• No licensee reported that hackers actively exploited the network, consistent with other reporting that financial services companies were not actively targeted
• Licensees responded to the SolarWinds Attack swiftly; 94% of impacted companies removed the vulnerability introduced from their networks within 3 days by disconnecting and/or patching
• Some licensees’ patch management programs are immature and lack proper “patching cadence” needed to ensure timely remediation of high-risk cyber vulnerabilities
• Some licensed entities using its Orion product did not classify SolarWinds as a critical vendor, even though Orion had privileged access to the company’s network
• ENFORCEMENT TAKEAWAY: “This attack confirms the importance of vigorous third party risk management, which starts with a thorough assessment of an organization’s third party risk. . . [Cyber risk ] is an existential threat and we urge the industry to treat it as such.”
The report may be found here: https://www.dfs.ny.gov/system/files/documents/2021/04/solarwinds_report_2021.pdf