23 NYCRR Part 500 Noncompliance Racks up Millions in 3 Months
As of May 13, 2021, the New York Department of Financial Services (NYDFS, or just DFS) reached three separate settlements with four companies licensed in the state for fines totaling $6.3 million for cybersecurity breaches and related noncompliance. Nearly a month apart from each other from the first consent agreement in April to the final notice in May, each of these individual firms were charged for breaking compliance with Part 500 of Title 23 of the New York Codes, Rules, and Regulations (23 NYCRR 500, Part 500, or the Cybersecurity Regulation).
Established March 2017, 23 NYCRR 500 has been considered the beginning of a comprehensive regulatory redefinition of data security in the vein of the European Union’s GDPR, as there were few, if any, similar regulations in the US at the time. In the years since DFS implemented Part 500, however, other states have followed suit with sweeping legislation like California’s CCPA and other agencies have begun to reapply consumer protection rules towards enforcing cybersecurity across regulated financial services.
Unreported Breaches, Phishing Attacks and Lack of MFA
The violations which the NYDFS levied fines for all accounted for some form of cyber breach, however, the Department uncovered different – though often similar – circumstances affecting each. However, all inevitably exposed customer data they had collected and stored, and all had failed to report the true extent of the damage malicious actors had been able to commit while infiltrating their systems (for various reasons). These and the additional individual infringements constituted considerably breaking of some of the most basic, but critical, obligations included under 23 NYCRR 500.
Residential Mortgage Services
On March 3, 2021, DFS settled with Residential Mortgage Services, Inc. (“RMS”) for a $1.5 million penalty for violating Part 500.17 after it was discovered they had failed to report a 2019 cyber breach. An RMS employee’s email account had been accessed by unauthorized external parties and consequently the personal data of mortgage loan applicants accessible through that account was exposed. Additionally, Residential had never bothered to investigate the breach until the Department obliged them to.
National Securities Corporation
On April 14, 2021, the NYDFS settled with National Securities Corporation (“National Securities”) for a $3 million penalty for failing to report two cyber breaches as not implementing MFA (multi-factor authentication) or equivalent cybersecurity controls as required under Title 23, Part 500.8. National Securities was discovered to have experienced a total of four cyber breaches between 2018 and 2020, but had only reported two of these to DFS and so was found in violation of the Cybersecurity Regulation. Over the course of the investigation into the total extent of the intrusions the Department uncovered the lack of the additional authentication controls, which is an integral part of the NYCRR.
First Unum Life Insurance Company of America & Paul Reve Life Insurance Company
On May 13, 2021, NYDFS settled with both First Unum Life Insurance Company of America (“First Unum”) and Paul Revere Life Insurance Company (“Paul Revere”) for $1.8 million. Branches of the Unum Group, employees of both companies were found to be victims of two separate phishing attacks between 2018 and 2019 that compromised their shared customer data. The investigation also uncovered that not only had either failed to implement MFA, but that both companies had also falsely certified compliance with Part 500.8 in 2018 despite knowing they had not implemented the required controls.
The Impact of the DFS Cybersecurity Regulation Settlements
There is much to unpack and analyze in the NYDFS’s three settlements above for any financial services firms, not just in New York but for throughout the US. Besides the lack of compliance, the exorbitant costs of these fines are only a fraction of the potential financial burden these companies have faced by failing to implement even basic data security controls, promptly inform stakeholders of a breach or even do due diligence to discover the extent of the damage. The actions by DFS also establish a precedent as well as signal the thinking of regulators regarding how firms like yours protect your clients’ data – networks are increasingly connected and one weak link exposes the information of many.
New York Leading the Charge on Cybersecurity Regulation?
The current Superintendent of NYDFS, Linda Lacewell, joined the Insuring Cyber Podcast at the beginning of 2021 along with another guest, Peter Halprin of Pasich LLP, to discuss the Department’s approach and commitment to cybersecurity. Lacewell made her thoughts on cyber risk and the role DFS will play in protecting both firms and consumers from it very clear, along with establishing that her office and the industry must keep up with the changing times and respond to the disruption it brings. As Halprin and many other experts have indicated, New York has stood out as a leader in cyber regulation and this position may only grow as the impact of these three settlements is felt across the finance market.
DFS Settlements Reminiscent of Actions Taken by FINRA and SEC
This type of enforcement is not solely in the realm of DFS, with FINRA and SEC levying their own penalties against licensed firms for failing to protect both themselves and consequently their clients from a data breach. The CEO and Chief Compliance Officer of broker-dealer Supreme Alliance, LLC was the subject of another 2021 action filed by FINRA, after his company had already been fined under the same Identity Theft Red Flags Rule from the SEC. Besides violating this and other regulations by trying to obfuscate the investigation, the officer had allowed his email account to be exposed and then allowed it to remain exposed to hackers by not taking action to correct it.
Keeping Up with Data Privacy Compliance
Whether from ignorance or arrogance, the end result of not implementing the necessary cybersecurity controls is the same for clients of any financial service firm, and regulators have taken note. Many more examples are likely to be made from many more businesses that have been hacked, and DFS, FINRA and SEC will very likely apply the same enforcement to executives who ignored the guidelines as to those who simply were unaware of the gaps in their systems.
Keeping up with all of the new and changing data privacy regulations can be a challenge, but SWK Technologies is here to help you firm ensure compliance, and quickly identify and plug any gaps. Our comprehensive list of cybersecurity solutions will help you better fulfill obligations for a wide range of required protections, allowing your firm to remain both compliant and secure against the threats targeting your industry.
Ensure Your Business is Protected with the Cybersecurity Checklist
SWK Technologies will help you determine the level of protection you still need to implement to meet compliance and defend yourself against all manner of cyber threats, and identify where your biggest risks lie. Review our Cybersecurity Checklist and fill the fields to see if you are lacking any of the basic solutions and processes that could leave you exposed to both hackers and noncompliance.
Download the Cybersecurity Checklist here and reach out to SWK Technologies ASAP if you are missing any protections, or need to look into a deeper level of cyber defense.