April 30, 2021 New York Department of Financial Services Issues Millions of Dollars in Penalties, Signaling Increased Cybersecurity Enforcement

On April 14, 2021, the New York Department of Financial Services (DFS) announced it settled an enforcement action against National Securities Corporation (“National Securities”) related to claims under the Cybersecurity Regulation, 23 NYCRR Part 500. The Consent Order imposes a $3 million penalty, various remediation measures and represents a flurry of cybersecurity activity by the regulator in the first quarter of 2021. In the last two months DFS settled two enforcement actions and issued amended charges against First American, the first charges under the Cybersecurity Regulation, originally announced less than a year ago.

April 14, 2021, Settlement

National Securities is a brokerage and insurance firm headquartered in New York and licensed by DFS to sell insurance, making it subject to the Cybersecurity Regulation. In compliance with the regulation, the firm reported two separate Cybersecurity Events that occurred in 2019 and 2020, both involving email accounts that lacked Multi-Factor Authentication (MFA) or alternative controls attacked through a phishing scheme. Both incidents potentially impacted customers’ nonpublic information (NPI).

During the investigation into these reported events, National Securities informed DFS of two additional Cybersecurity Events that occurred in 2018 and 2019. National Securities reported the 2018 event to the Attorney General’s Offices of New York, New Jersey, Connecticut and Massachusetts, notified all impacted customers, changed account credentials and provided credit monitoring to impacted customers. National Securities also notified impacted customers of the 2019 event, changed account credentials, provided credit monitoring to impacted customers and reported it to the Internal Revenue Service (IRS), Securities and Exchange Commission (SEC), Federal Bureau of Investigation (FBI) and the local County Sherriff’s Office. However, the firm did not report either incident “as promptly as possible and no later than 72 hours of their occurrence” to DFS as required under the Cybersecurity Regulation.

The unreported events exposed NPI of certain customers through compromised Microsoft Office 365 email accounts of an employee and an independent contractor who is a broker at a firm affiliate. National Securities investigation determined the email accounts were likely compromised by a phishing scheme. As a result of the unreported events, DFS found the following violations:

• Section 500.12 Multi-Factor Authentication

  • Failure to implement MFA or a reasonably equivalent or more secure access control for accessing the firm’s email for all users until August 14, 2020. 500.12(b)

  • Failure to fully implement MFA for certain third party applications used by the firm which accessed the firm’s internal network and consumer NPI. 500.12(b)

• Section 500.17 Notices to Superintendent

  • Failure to timely notify the DFS of two cyber events that occurred in April 2018 and March 2019. § 500.17(a)

  • Falsely certifying compliance for the calendar year 2018, where the firm timely filed Certification of Compliance but failed to comply with the MFA and breach notification requirements for the unreported events. 500.17(b)

In issuing a settlement, DFS acknowledged National Securities’ “commendable cooperation” with the investigation and “recognize[d] and credit[ed]” the firm’s ongoing efforts to remediate issues. In addition to the $3 million penalty, the largest published fine to date under the Cybersecurity Regulation, the Consent Order requires the firm to do the following within 120 days of the Order:

• Submit a Cybersecurity Incident Response Plan consistent with 500.16.

• Submit a Cybersecurity Risk Assessment of its information systems consistent with 500.09.

• Submit Training and Monitoring materials consistent with § 500.14.

Notably, DFS agrees in the settlement to take no further action against the firm for conduct in connection with its investigation, including MFA implementation issues through December 2020, reserving its right to take additional action in the future if it identifies any improper conduct not disclosed in the written materials submitted in connection with its investigation. MORE