NYDFS issued an enforcement action against bitFlyer USA, Inc., a cryptocurrency exchange, obtaining a $1.2 million penalty. Takeaways from DFS allegations:
• No specific cyber event was involved – enforcement was based on violations identified over two examination cycles
• This suggests cybersecurity is now well integrated into the DFS examination process
• Core violations included the lack of a risk assessment pursuant to cyber reg § 500.9
• Another core violation included failure to establish and maintain a board approved cybersecurity program pursuant to virtual currency reg § 200.16
• bitFlyer USA’s cyber policies were not bespoke – “[c]ertain documents were clearly templates, one referring to bitFlyer USA as ‘ABC Company’”
• bitFlyer USA did not conduct annual reviews or obtain board approvals of its policies
• No press release or Tweet announcing the resolution