NYDFS Issues Its Third Cybersecurity Enforcement Action — What You Need to Know

NYDFS issued Cybersecurity Enforcement Action No. 3 on April 14, 2021; here’s what you need to know from the Consent Order:


• National Securities, a life insurance/annuity provider, suffered four breaches between 2018 and 2020 exposing NPI – all from phishing.


• Although required to have implemented multi-factor authentication no later than March 2018, the company did not have it in place for its e-mail environment until August 2020.


• While notifying other government agencies of the cyber breaches, the company on two occasions failed to notify NYDFS of the breaches within 72 hours, as required.


• The Order specifically finds that the company “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” The findings do not suggest the level of intent behind this false certification or whether any other consequences are to follow.


• Issued under Financial Services Law Section 408, the company must pay a civil penalty of $3 million and continue to remediate and report to NYDFS. Notably, there is no finding as to the number of violations underlying the penalty; instead there are merely three separate subsections of the regulation that are cited as violations of law.

 

The Consent Order may be found here:   https://www.dfs.ny.gov/system/files/documents/2021/04/ea20210412_national_securities_corp.pdf

NYDFS Establishes an Office of Financial Inclusion and Empowerment

Fulfilling a FY 2021 budget initiative, NYDFS today announced establishment of its Office of Financial Inclusion and Empowerment. The office is intended to protect and empower New York consumers and advance economic justice. According to a recent NY Times article, economists believe government support is a crucial element in narrowing the nation’s racial wealth gap. The new office will:


• Maintain a centralized list of financial services counseling providers across housing, student loan, debt and general financial literacy throughout the State.


• Coordinate state and local services aimed at expanding access to credit and opportunities for wealth building.


• Incubate new programs to expand access to safe and affordable banking services, credit and financial education; coordinate public-private partnerships.


• Foster provision of high-quality, low-cost financial products statewide.


Former State Assembly member Tremaine Wright has been appointed as the first Director of this Office.

The press release announcing this can be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104131

NYDFS Issues Emergency Order Granting Temporary Relief for Regulated Entities and Persons Affected by COVID-19

On March 12, 2020 NYDFS issued an “Order Granting Temporary Relief to COVID-19 Affected Regulated Entities and Persons.” This rather extraordinary order specifically acknowledges that “COVID-19 may present compliance challenges” and includes several significant provisions for regulated entities adversely impacted:

● Extends by 45 days the date by which regulated entities or persons must file certifications of compliance with the Cybersecurity Regulations (Part 500) and Transaction Monitoring/Filtering Regulations (Part 504).

● Extends by 45 days the date by which virtual currency licensees must file a Quarterly Financial Statement;

● Facilitates remote workforce activity by specifically acknowledging that individuals conducting “licensable activities from their personal residences” remain subject to the full supervision of the Department and must ensure compliance with required controls, such as for cybersecurity and data protection; and

● Waives the required advance notice where a regulated entity seeks to temporarily relocate an authorized place of business or close a branch office.

The emergency Order may be found here:  https://www.dfs.ny.gov/system/files/documents/2020/03/ea20200312_covid19_relief_order.pdf

Governor Cuomo and NYDFS Issue Extraordinary Orders and Regulations Dealing with Loan Forbearance Due to COVID-19

The New York Department of Financial Services and Governor Cuomo and have issued two extraordinary orders dealing with loan forbearance to mitigate the impact of COVID-19.

● Executive Order 202.9 declares that any “bank” subject to DFS jurisdiction shall be deemed to be engaged in an “unsafe and unsound business practice” under Banking Law Section 39(2) if it fails to grant a 90-day forbearance to any person or business with financial hardship as a result of the pandemic. This is a broad and apparently unprecedented application of the rarely-used cease and desist authority set forth in Section 39(2). The Executive Order also directs the Superintendent to ensure “any licensed or regulated entities provide to any consumer in [] New York an opportunity for a forbearance of payments for any mortgage for any person or entity facing a financial hardship due to the COVID-19 pandemic.”

● NYDFS issued an emergency regulation implementing this Order, requiring that certain “New York State regulated institutions” provide residential mortgage forbearance on property located in New York, for a period of 90 days, to any individual residing in New York who demonstrates financial hardship as a result of the COVID-19, subject to the usual safety and soundness requirements.

Executive Order 202.9 is here: https://www.governor.ny.gov/sites/default/files/atoms/files/EO_202.9.pdf

The NYDFS emergency regulation can be found here:  https://www.dfs.ny.gov/system/files/documents/2020/03/re_new_pt119_nycrr3_text.pdf

NYDFS Issues Enforcement Action Against Deutsche Bank for Anti-Money Laundering Deficiencies Involving Jeffrey Epstein and Eastern European Correspondent Banking Accounts

The New York Department of Financial Services (“NYDFS”) recently sanctioned Deutsche Bank (“DB”) $150 million for BSA/AML deficiencies.  According to the regulator’s factual findings, the compliance failures arose in connection with the bank’s private wealth relationship with Jeffrey Epstein, and correspondent banking relationships with Danske Bank Estonia (“Danske Estonia”) and FBME Bank (“FBME”), both located in Eastern Europe. This latest enforcement action against DB follows several others issued against the bank by NYDFS since 2015, including for improper conduct arising from LIBOR manipulation, sanctions violations, improper foreign exchange trading practices, and BSA/AML deficiencies in connection with money laundering arising out of equity trades at its London and Moscow branches. More detailed analysis and the Consent Order can be found on my blog post for the NYU Program on Corporate Compliance and Enforcement Blog here: 

Deutsche Bank Sanctioned in Connection with Jeffrey Epstein Banking Relationship: Financial Institutions Must Be Vigilant in BSA/AML Compliance

 

NYDFS Commences First Cybersecurity Enforcement Action

First one! On July 22, 2020 NYDFS charged title insurer with violations of the DFS Cybersecurity Regulation. Administrative proceeding to commence in October. Personal hot takes from the DFS allegations (and they are only allegations):
(1) More than 850 million documents were accessible to anyone with a URL address providing access to a single document in the company’s web application that delivered documents to outside parties. Tens of millions of documents contained sensitive personal information such as SSNs and bank account information.
(2) After first identifying the vulnerability in Dec. 2018, the company allegedly ignored an internal recommendation for additional investigation.
(3) DFS also alleges the company failed to remediate the vulnerability for nearly six months due to a “cascade of errors” caused by “flaws in [the company’s] vulnerability remediation program.”
(4) Charged violations allege an inadequate risk assessment; lack of reasonable access controls; inadequate training; and lack of adequate encryption. Penalties are $1,000 per violation if proven.

(5) While the number of violations are not alleged in the charging document, the NYDFS press release states that ” DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”

The press release and Statement of Charges may be found here:  https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221

My article in the New York Law Journal anticipating this action can be found at:   https://www.law.com/newyorklawjournal/2020/01/06/anticipating-the-first-cybersecurity-enforcement-action-by-nydfs/

 

Preview of The Defense: First American Title Offers Its Defense to the NYDFS Enforcement Action in Earnings Call

Update re the NYDFS charges against First American Title concerning alleged violations of the Cybersecurity Regulation: the insurer previewed its defense in an earnings call on July 23, 2020: “In March, the Nebraska Department of Insurance, the primary regulator of our Title Insurance Company, led an examination of our information security program as of June 30, 2019, and our response to the information security incident. The resulting report concluded that our IT general control environment is suitably designed and is operating effectively and that we adequately and appropriately detected, analyzed, contained, eradicated and recovered from the security incident and that we are in compliance with New York’s cybersecurity requirements for financial services companies….The New York Department of Financial Services, notwithstanding the compliance finding in the examination report…has alleged violations of New York’s cybersecurity requirements….We intend to conduct a vigorous defense, which will focus on, among other matters, the examination report and at the conclusion regarding our compliance with New York’s cybersecurity requirements.”

The transcript of the call published by The Motley Fool can be found here:   https://www.fool.com/earnings/call-transcripts/2020/07/23/first-american-financial-corp-faf-q2-2020-earnings.aspx

NYDFS Issues Report Concerning Twitter Hack

On October 14, 2020 NYDFS issued a report of its investigation of the July 2020 Twitter hack. According to agency findings:
– Hackers accessed Twitter’s systems by calling Twitter employees and claiming to be from Twitter’s IT department; hijacked Twitter accounts of politicians, celebrities, and entrepreneurs with hundreds of millions of followers; and then engaged in a bitcoin fraud scheme causing at least $118,000 in losses.
– Cryptocurrency firms regulated by NYDFS — all of which are subject to the Department’s comprehensive cybersecurity regulation — responded quickly to block attempted transfers to the Bitcoin addresses used by the fraudsters, thereby mitigating fraud losses.
– Although it has 330 million average users per month, at the time of the attack Twitter did not have a chief information security officer, adequate access controls and identity management, or adequate security monitoring.

The report recommends that the largest social media companies should be designated as “systemically important” institutions with prudent regulation to manage heightened cybersecurity risk. Expect this to have impact. DFS continues in a leadership post in cybersecurity enforcement.

The NYDFS report may be found here: https://www.dfs.ny.gov/Twitter_Report

NYDFS Issues Enforcement Action Against Goldman Sachs Bank Involving 1MDB Bribery Matter

On October 22, 2020 NYDFS sanctioned Goldman Sachs $150 million as part of a Consent Order. It is part of global resolution with DOJ, Federal Reserve & others concerning highly-publicized FCPA scheme involving proceeds of bonds sold by its international arm. Some takeaways from the DFS findings:
– NYDFS continues focus on the impact of enterprise-wide compliance failures on its NY regulated entity, particularly with shared-service models.
– Banking regulators have for decades treated the “safety and soundness” definition broadly. This also continues.
– “GS Group is primarily responsible for the design, implementation, and execution of an enterprise-wide compliance program for GS Group as well as its subsidiaries,” including NYDFS licensee Goldman Sachs Bank USA.
– “The seamless transfer of information between the central compliance function and subsidiaries is particularly crucial where a subsidiary has its own separate regulatory obligations to report certain compliance concerns to regulators.”
– DFS says Goldman’s failure to investigate, address and report a number of red flags resulted in unsafe and unsound conduct at GSBUSA and the inability by NYDFS to share information that would have been of interest to other NYDFS licensees, including bond purchasers.

The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2020/10/ea20201021_goldman_sachs.pdf