Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
Cyber-enforcement by NYDFS and others is only going to get more intense. I had the good fortune to sit down virtually with journalist Elizabeth Blosfield of the Insurance Journal to discuss ramped up enforcement by NYDFS in cybersecurity on the Insuring Cyber Podcast.
The link to the podcast episode can be found here: https://www.insurancejournal.tv/videos/19537/
Matthew Levine sat down with Scott Moritz to discuss monitorships, lookbacks and independent consultancies on FTI’s podcast “Fraud Eats Strategy. The podcast can be found here:
UPDATE ON NYDFS ENFORCEMENT ACTION VS. ROBINHOOD: There is a deal in principle, according to an amended S-1 filing. Expected penalty is $30MM, and there apparently will be appointment of an independent monitor. Robinhood says NYDFS informed it of alleged violations involving cybersecurity and virtual currency (Part 500 and Part 200) requirements, including deficiencies in policies and procedures regarding risk assessment, lack of an adequate incident response and business continuity plan, and deficiencies in application development security.
A Markets Insider article on the matter can be found here: https://markets.businessinsider.com/news/stocks/robinhood-ipo-30-million-fine-crypto-anti-money-laundering-probe-2021-7
Its time to send a deficiency letter to the SEC — the agency needs to do a better job of providing transparency when issuing an enforcement action against a compliance officer. See my latest post on the NYU Program on Corporate Compliance & Enforcement Blog. Link is below: A Deficiency Letter to (Not From) The … Read more
Matthew Levine writes in the New York Law Journal article about “Cybersecurity Enforcement Activity From NYDFS Fashions Regulatory Expectations and Suggests More Enforcement Is To Come”, which updates developments in cybersecurity enforcement by NYDFS. The article may be found here: NYLJ-DFS-CYBERSECURITY-ENFORCEMENT-LEVINE
On May 12, 2021, NYDFS issued another Cybersecurity enforcement action vs. Unum Life and Paul Revere Life. What you need to know from the findings in the Consent Orde (yes, another settlement):
• The companies must pay a $1.8 million penalty, & conduct remediation and an independent third-party audit
• The relevant Cybersecurity Events occurred in September 2018 and October 2019 – both phishing intrusions; dozens of employee email accounts compromised and NPI of New Yorkers and others made accessible
• The companies did not have effective multi-factor authentication (MFA) in place for the e-mail environment until August 2019, long after the Mar 2018 deadline
• The Consent Order specifically finds the companies “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” Still, there is no suggestion concerning the actual level of intent underlying false certification, or whether any other consequences flow.
• There is no specific finding regarding the number of violations underlying the penalty; NYDFS finds two subsections of the regulation as violations of law.
• ENFORCEMENT TAKEAWAY: A big focus on MFA is emerging. If an entity did not implement effective MFA by March 2018, a subsequent Cybersecurity Event involving access to non public information (NPI) is a likely enforcement target. Additionally, the insurance industry remains in focus.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/05/ea20210512_first_unum.pdf
NYDFS issued Cybersecurity Enforcement Action No. 3 on April 14, 2021; here’s what you need to know from the Consent Order:
• National Securities, a life insurance/annuity provider, suffered four breaches between 2018 and 2020 exposing NPI – all from phishing.
• Although required to have implemented multi-factor authentication no later than March 2018, the company did not have it in place for its e-mail environment until August 2020.
• While notifying other government agencies of the cyber breaches, the company on two occasions failed to notify NYDFS of the breaches within 72 hours, as required.
• The Order specifically finds that the company “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” The findings do not suggest the level of intent behind this false certification or whether any other consequences are to follow.
• Issued under Financial Services Law Section 408, the company must pay a civil penalty of $3 million and continue to remediate and report to NYDFS. Notably, there is no finding as to the number of violations underlying the penalty; instead there are merely three separate subsections of the regulation that are cited as violations of law.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/04/ea20210412_national_securities_corp.pdf
The New York Department of Financial Services (“NYDFS”) recently sanctioned Deutsche Bank (“DB”) $150 million for BSA/AML deficiencies. According to the regulator’s factual findings, the compliance failures arose in connection with the bank’s private wealth relationship with Jeffrey Epstein, and correspondent banking relationships with Danske Bank Estonia (“Danske Estonia”) and FBME Bank (“FBME”), both located in Eastern Europe. This latest enforcement action against DB follows several others issued against the bank by NYDFS since 2015, including for improper conduct arising from LIBOR manipulation, sanctions violations, improper foreign exchange trading practices, and BSA/AML deficiencies in connection with money laundering arising out of equity trades at its London and Moscow branches. More detailed analysis and the Consent Order can be found on my blog post for the NYU Program on Corporate Compliance and Enforcement Blog here:
Deutsche Bank Sanctioned in Connection with Jeffrey Epstein Banking Relationship: Financial Institutions Must Be Vigilant in BSA/AML Compliance
First one! On July 22, 2020 NYDFS charged title insurer with violations of the DFS Cybersecurity Regulation. Administrative proceeding to commence in October. Personal hot takes from the DFS allegations (and they are only allegations):
(1) More than 850 million documents were accessible to anyone with a URL address providing access to a single document in the company’s web application that delivered documents to outside parties. Tens of millions of documents contained sensitive personal information such as SSNs and bank account information.
(2) After first identifying the vulnerability in Dec. 2018, the company allegedly ignored an internal recommendation for additional investigation.
(3) DFS also alleges the company failed to remediate the vulnerability for nearly six months due to a “cascade of errors” caused by “flaws in [the company’s] vulnerability remediation program.”
(4) Charged violations allege an inadequate risk assessment; lack of reasonable access controls; inadequate training; and lack of adequate encryption. Penalties are $1,000 per violation if proven.
(5) While the number of violations are not alleged in the charging document, the NYDFS press release states that ” DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”
The press release and Statement of Charges may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221
My article in the New York Law Journal anticipating this action can be found at: https://www.law.com/newyorklawjournal/2020/01/06/anticipating-the-first-cybersecurity-enforcement-action-by-nydfs/
Update re the NYDFS charges against First American Title concerning alleged violations of the Cybersecurity Regulation: the insurer previewed its defense in an earnings call on July 23, 2020: “In March, the Nebraska Department of Insurance, the primary regulator of our Title Insurance Company, led an examination of our information security program as of June 30, 2019, and our response to the information security incident. The resulting report concluded that our IT general control environment is suitably designed and is operating effectively and that we adequately and appropriately detected, analyzed, contained, eradicated and recovered from the security incident and that we are in compliance with New York’s cybersecurity requirements for financial services companies….The New York Department of Financial Services, notwithstanding the compliance finding in the examination report…has alleged violations of New York’s cybersecurity requirements….We intend to conduct a vigorous defense, which will focus on, among other matters, the examination report and at the conclusion regarding our compliance with New York’s cybersecurity requirements.”
The transcript of the call published by The Motley Fool can be found here: https://www.fool.com/earnings/call-transcripts/2020/07/23/first-american-financial-corp-faf-q2-2020-earnings.aspx