NYDFS entered into a Consent Order for alleged cybersecurity violations against wealth management firm SA Stone, which sells insurance products to customers. According to DFS allegations:
• SA Stone is an independent broker/dealer focusing on wealth management, holding licenses to sell insurance to its customers in New York.
• SA Stone experienced several reportable cybersecurity breaches arising out of phishing attempts, largely due to lack of implementation of multi-factor authentication.
• The company waited too long to report several Cybersecurity Events to DFS under Part 500.17 – including one instance when they delayed reporting for 4 years.
• As measured by NYDFS, 28 New York residents were apparently impacted by these breaches, out of a total of 6,098 nationwide – less than half a percent.
• Violations included §500.12(b) (MFA), 500.17(a) (untimely reporting), and 500.17(b) (failure to certify).
• No remediation required. And no press release/tweet issued announcing the enforcement action.