NYDFS Commences First Cybersecurity Enforcement Action

by

First one! On July 22, 2020 NYDFS charged title insurer with violations of the DFS Cybersecurity Regulation. Administrative proceeding to commence in October. Personal hot takes from the DFS allegations (and they are only allegations):
(1) More than 850 million documents were accessible to anyone with a URL address providing access to a single document in the company’s web application that delivered documents to outside parties. Tens of millions of documents contained sensitive personal information such as SSNs and bank account information.
(2) After first identifying the vulnerability in Dec. 2018, the company allegedly ignored an internal recommendation for additional investigation.
(3) DFS also alleges the company failed to remediate the vulnerability for nearly six months due to a “cascade of errors” caused by “flaws in [the company’s] vulnerability remediation program.”
(4) Charged violations allege an inadequate risk assessment; lack of reasonable access controls; inadequate training; and lack of adequate encryption. Penalties are $1,000 per violation if proven.

(5) While the number of violations are not alleged in the charging document, the NYDFS press release states that ” DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”

The press release and Statement of Charges may be found here:  https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221

My article in the New York Law Journal anticipating this action can be found at:   https://www.law.com/newyorklawjournal/2020/01/06/anticipating-the-first-cybersecurity-enforcement-action-by-nydfs/

 

Preview of The Defense: First American Title Offers Its Defense to the NYDFS Enforcement Action in Earnings Call

by

Update re the NYDFS charges against First American Title concerning alleged violations of the Cybersecurity Regulation: the insurer previewed its defense in an earnings call on July 23, 2020: “In March, the Nebraska Department of Insurance, the primary regulator of our Title Insurance Company, led an examination of our information security program as of June 30, 2019, and our response to the information security incident. The resulting report concluded that our IT general control environment is suitably designed and is operating effectively and that we adequately and appropriately detected, analyzed, contained, eradicated and recovered from the security incident and that we are in compliance with New York’s cybersecurity requirements for financial services companies….The New York Department of Financial Services, notwithstanding the compliance finding in the examination report…has alleged violations of New York’s cybersecurity requirements….We intend to conduct a vigorous defense, which will focus on, among other matters, the examination report and at the conclusion regarding our compliance with New York’s cybersecurity requirements.”

The transcript of the call published by The Motley Fool can be found here:   https://www.fool.com/earnings/call-transcripts/2020/07/23/first-american-financial-corp-faf-q2-2020-earnings.aspx

NYDFS Issues Report Concerning Twitter Hack

by

On October 14, 2020 NYDFS issued a report of its investigation of the July 2020 Twitter hack. According to agency findings:
– Hackers accessed Twitter’s systems by calling Twitter employees and claiming to be from Twitter’s IT department; hijacked Twitter accounts of politicians, celebrities, and entrepreneurs with hundreds of millions of followers; and then engaged in a bitcoin fraud scheme causing at least $118,000 in losses.
– Cryptocurrency firms regulated by NYDFS — all of which are subject to the Department’s comprehensive cybersecurity regulation — responded quickly to block attempted transfers to the Bitcoin addresses used by the fraudsters, thereby mitigating fraud losses.
– Although it has 330 million average users per month, at the time of the attack Twitter did not have a chief information security officer, adequate access controls and identity management, or adequate security monitoring.

The report recommends that the largest social media companies should be designated as “systemically important” institutions with prudent regulation to manage heightened cybersecurity risk. Expect this to have impact. DFS continues in a leadership post in cybersecurity enforcement.

The NYDFS report may be found here: https://www.dfs.ny.gov/Twitter_Report

NYDFS Issues Enforcement Action Against Goldman Sachs Bank Involving 1MDB Bribery Matter

by

On October 22, 2020 NYDFS sanctioned Goldman Sachs $150 million as part of a Consent Order. It is part of global resolution with DOJ, Federal Reserve & others concerning highly-publicized FCPA scheme involving proceeds of bonds sold by its international arm. Some takeaways from the DFS findings:
– NYDFS continues focus on the impact of enterprise-wide compliance failures on its NY regulated entity, particularly with shared-service models.
– Banking regulators have for decades treated the “safety and soundness” definition broadly. This also continues.
– “GS Group is primarily responsible for the design, implementation, and execution of an enterprise-wide compliance program for GS Group as well as its subsidiaries,” including NYDFS licensee Goldman Sachs Bank USA.
– “The seamless transfer of information between the central compliance function and subsidiaries is particularly crucial where a subsidiary has its own separate regulatory obligations to report certain compliance concerns to regulators.”
– DFS says Goldman’s failure to investigate, address and report a number of red flags resulted in unsafe and unsound conduct at GSBUSA and the inability by NYDFS to share information that would have been of interest to other NYDFS licensees, including bond purchasers.

The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2020/10/ea20201021_goldman_sachs.pdf

NYDFS Issues Enforcement Action Against NRA for Unlicensed Activity

by

On November 18, 2020 NYDFS entered into a consent order with the National Rifle Association today settling charges related to the unauthorized marketing of so-called “self-defense” insurance that (according to the agency) also failed to comply with NY law:
– NYDFS filed administrative charges against the NRA this February and the hearing was set for January 2021.
– Settlement requires the NRA to pay a $2.5 million fine and bars it from marketing insurance or receiving compensation for newly issued NY insurance policies for 5 years.
– NYDFS appears to be nearing conclusion of this 3-year investigation. Previously it settled with insurance broker Lockton Affinity, as well as insurance carriers Chubb and Lloyds in connection this matter.
– Total fines imposed in this matter now approximate $16 million.
– Unlike some federal counterparts, NYDFS remains very active in the enforcement realm. Many of us waiting to see whether things change at the federal level under the Biden administration.

The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2020/11/ea20201118_co_nra.pdf

NYDFS Issues Cybersecurity Alert Concerning SolarWinds Hack

by

On December 18, 2020, NYDFS issued a supply chain compromise alert arising out of the SolarWinds hack. Some hot takes on Friday’s NYDFS guidance :
– If a regulated entity has been affected by the hack either directly, or indirectly through an affiliate or third party service provider, the entity should give notice to NYDFS right away – err on the side of disclosure
– NYDFS considers notice essential to understanding the full scope of the attack
– NYDFS will use this information to formulate a supervisory response that seeks to assist affected institutions and prevent further damage – the transparency necessary for an effective government response
– This is not a “gotcha” moment, but an opportunity for NYDFS to marshal resources to assist firms in responding to the attack and coordinate a response with other government agencies (FBI; DHS; etc.)
– Coincidence? On the same day NYDFS issued this specific guidance around its established cybersecurity regulation, federal banking regulators noticed a proposed rulemaking for the first time that requires notification to an entity’s principal federal regulator of a “computer-security incident.”

The guidance may be found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20201218_supply_chain_compromise_alert

NYDFS Enforcement Action Against AIG Insurance Subsidiary for Unlicensed Activity

by

NYDFS yesterday announced a settlement with an AIG subsidiary for engaging in the pension risk transfer business in New York without being licensed. The AIG subsidiary will pay a $12 million penalty – substantial for insurance penalties in NY– and transfer the business line to an AIG subsidiary licensed by NYDFS. Hot takes:
– This is the second settlement in an industry-wide investigation. The first was with Athene Holding Ltd. last year, which involved a $45 million penalty.
– The Consent Order notes the agency’s position that each instance of unlicensed solicitation, negotiation, or sale of insurance by an unauthorized insurer or of an improper policy is a separate violation of the Insurance Law. So sending and receiving hundreds or thousands of emails in an unlicensed business can quickly run up the penalty number.
– NYDFS maintains its long-term focus on penalizing financial companies that conduct business in New York without the necessary license; this is construed as an unfair competitive advantage by the regulator. 

The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/01/ea20210201_aig.pdf

 

NYDFS Uses New Powers to Investigate Alleged Price Spikes in COVID-19 Medicines, Targeting Non-Licensees

by

Continuing its focus on consumer protection enforcement, the New York State Department of Financial Services (“DFS”) announced an investigation into alleged price spikes for six drugs connected to treatments of COVID-19 medical conditions.[1]  According to DFS, its newly-formed Office of Pharmacy Benefits (“OPB”) commenced the investigations under Insurance Law § 111 into what it characterizes as “anomalously large spikes” in the prices of the six drugs, occurring since the onset of the COVID-19 pandemic.  These medications are Ascor, Budesonide, Dexonto, Mytesi, Duramorph and Chloroquine phosphate, each of which has some actual or claimed therapeutic use for COVID-19 conditions. More detail on this investigation can be found on my blog post for the NYU Program on Corporate Compliance and Enforcement, here:

New York State Department of Financial Services (“DFS”) Uses New Powers to Investigate Alleged Price Spikes in COVID-19 Medicines, Where Targeted Pharma Manufacturers Are Not DFS Licensees

 

NYDFS Issues Guidance Concerning Cybersecurity Threats to Nonpublic Information

by

 A key objective of NYDFS Regulation Part 500 is to permit the agency to share information it receives from its 72-hour notification provision with all regulated entities. This can help protect all entities from a cyber threat identified initially at some entities; NYDFS regulates over 3500 entities with approximately $7 trillion in assets. This recent … Read more