Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
Matthew Levine sat down with Scott Moritz to discuss monitorships, lookbacks and independent consultancies on FTI’s podcast “Fraud Eats Strategy. The podcast can be found here:
NYDFS WATCH: Governor Hochul has nominated Adrienne Harris, a former economic advisor in the Obama White House and Treasury Department, to be the next NYDFS Superintendent. While the press release does not specify, each of the past two Superintendents became Acting Superintendent while their Senate nomination was pending.
The link to the nomination announcement is here: https://www.governor.ny.gov/news/governor-hochul-announces-nomination-adrienne-harris-superintendent-department-financial
UPDATE ON NYDFS ENFORCEMENT ACTION VS. ROBINHOOD: There is a deal in principle, according to an amended S-1 filing. Expected penalty is $30MM, and there apparently will be appointment of an independent monitor. Robinhood says NYDFS informed it of alleged violations involving cybersecurity and virtual currency (Part 500 and Part 200) requirements, including deficiencies in policies and procedures regarding risk assessment, lack of an adequate incident response and business continuity plan, and deficiencies in application development security.
A Markets Insider article on the matter can be found here: https://markets.businessinsider.com/news/stocks/robinhood-ipo-30-million-fine-crypto-anti-money-laundering-probe-2021-7
Its time to send a deficiency letter to the SEC — the agency needs to do a better job of providing transparency when issuing an enforcement action against a compliance officer. See my latest post on the NYU Program on Corporate Compliance & Enforcement Blog. Link is below: A Deficiency Letter to (Not From) The … Read more
Matthew Levine writes in the New York Law Journal article about “Cybersecurity Enforcement Activity From NYDFS Fashions Regulatory Expectations and Suggests More Enforcement Is To Come”, which updates developments in cybersecurity enforcement by NYDFS. The article may be found here: NYLJ-DFS-CYBERSECURITY-ENFORCEMENT-LEVINE
On May 12, 2021, NYDFS issued another Cybersecurity enforcement action vs. Unum Life and Paul Revere Life. What you need to know from the findings in the Consent Orde (yes, another settlement):
• The companies must pay a $1.8 million penalty, & conduct remediation and an independent third-party audit
• The relevant Cybersecurity Events occurred in September 2018 and October 2019 – both phishing intrusions; dozens of employee email accounts compromised and NPI of New Yorkers and others made accessible
• The companies did not have effective multi-factor authentication (MFA) in place for the e-mail environment until August 2019, long after the Mar 2018 deadline
• The Consent Order specifically finds the companies “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” Still, there is no suggestion concerning the actual level of intent underlying false certification, or whether any other consequences flow.
• There is no specific finding regarding the number of violations underlying the penalty; NYDFS finds two subsections of the regulation as violations of law.
• ENFORCEMENT TAKEAWAY: A big focus on MFA is emerging. If an entity did not implement effective MFA by March 2018, a subsequent Cybersecurity Event involving access to non public information (NPI) is a likely enforcement target. Additionally, the insurance industry remains in focus.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/05/ea20210512_first_unum.pdf
On April 27, 2021 NYDFS issued a report on the SolarWinds attack and regulated entities’ response. Per interactions with 100 regulated entities it found that:
• Some NYDFS licensees actually detected the attack before it became public but didn’t share
• No licensee reported that hackers actively exploited the network, consistent with other reporting that financial services companies were not actively targeted
• Licensees responded to the SolarWinds Attack swiftly; 94% of impacted companies removed the vulnerability introduced from their networks within 3 days by disconnecting and/or patching
• Some licensees’ patch management programs are immature and lack proper “patching cadence” needed to ensure timely remediation of high-risk cyber vulnerabilities
• Some licensed entities using its Orion product did not classify SolarWinds as a critical vendor, even though Orion had privileged access to the company’s network
• ENFORCEMENT TAKEAWAY: “This attack confirms the importance of vigorous third party risk management, which starts with a thorough assessment of an organization’s third party risk. . . [Cyber risk ] is an existential threat and we urge the industry to treat it as such.”
The report may be found here: https://www.dfs.ny.gov/system/files/documents/2021/04/solarwinds_report_2021.pdf
NYDFS issued Cybersecurity Enforcement Action No. 3 on April 14, 2021; here’s what you need to know from the Consent Order:
• National Securities, a life insurance/annuity provider, suffered four breaches between 2018 and 2020 exposing NPI – all from phishing.
• Although required to have implemented multi-factor authentication no later than March 2018, the company did not have it in place for its e-mail environment until August 2020.
• While notifying other government agencies of the cyber breaches, the company on two occasions failed to notify NYDFS of the breaches within 72 hours, as required.
• The Order specifically finds that the company “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” The findings do not suggest the level of intent behind this false certification or whether any other consequences are to follow.
• Issued under Financial Services Law Section 408, the company must pay a civil penalty of $3 million and continue to remediate and report to NYDFS. Notably, there is no finding as to the number of violations underlying the penalty; instead there are merely three separate subsections of the regulation that are cited as violations of law.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/04/ea20210412_national_securities_corp.pdf
Fulfilling a FY 2021 budget initiative, NYDFS today announced establishment of its Office of Financial Inclusion and Empowerment. The office is intended to protect and empower New York consumers and advance economic justice. According to a recent NY Times article, economists believe government support is a crucial element in narrowing the nation’s racial wealth gap. The new office will:
• Maintain a centralized list of financial services counseling providers across housing, student loan, debt and general financial literacy throughout the State.
• Coordinate state and local services aimed at expanding access to credit and opportunities for wealth building.
• Incubate new programs to expand access to safe and affordable banking services, credit and financial education; coordinate public-private partnerships.
• Foster provision of high-quality, low-cost financial products statewide.
Former State Assembly member Tremaine Wright has been appointed as the first Director of this Office.
The press release announcing this can be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104131
On March 12, 2020 NYDFS issued an “Order Granting Temporary Relief to COVID-19 Affected Regulated Entities and Persons.” This rather extraordinary order specifically acknowledges that “COVID-19 may present compliance challenges” and includes several significant provisions for regulated entities adversely impacted:
● Extends by 45 days the date by which regulated entities or persons must file certifications of compliance with the Cybersecurity Regulations (Part 500) and Transaction Monitoring/Filtering Regulations (Part 504).
● Extends by 45 days the date by which virtual currency licensees must file a Quarterly Financial Statement;
● Facilitates remote workforce activity by specifically acknowledging that individuals conducting “licensable activities from their personal residences” remain subject to the full supervision of the Department and must ensure compliance with required controls, such as for cybersecurity and data protection; and
● Waives the required advance notice where a regulated entity seeks to temporarily relocate an authorized place of business or close a branch office.
The emergency Order may be found here: https://www.dfs.ny.gov/system/files/documents/2020/03/ea20200312_covid19_relief_order.pdf