On April 14, 2021, the New York Department of Financial Services ("NYDFS") announced a settlement with National Securities Corporation ("National Securities"), a licensed insurer, in connection with claims under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The consent order requires payment of a $3M penalty and mandatory remediation in response to alleged failures to properly implement multi-factor authentication, provide notice to NYDFS of two cybersecurity events reported to other regulators in 2018 and 2019, and for falsely certifying compliance for the calendar year 2018.

The consent order demonstrates continued active enforcement of the Cybersecurity Regulation by the NYDFS. The $3M penalty is the largest published assessment to date for alleged violations of the Cybersecurity Regulation. The consent order follows a $1.5M assessment in a separate matter announced last month. It is the second order (in a relatively short period of time) that specifically targets undisclosed prior security incidents. The consent order is the first announced order to specifically fault a licensee for a false annual certification (in this case, for a certification relating to the 2018 calendar year). Thus, the consent order highlights the NYDFS's continued strong interest in assessing past as well as current-state compliance with the Cybersecurity Regulation.

The consent order also addresses the NYDFS's interpretation of multi-factor authentication requirements under the Cybersecurity Regulation. National Securities is faulted for failing to fully implement multi-factor authentication (or maintain equivalent controls approved by the Chief Information Security Officer) with respect to third-party applications "which accessed National Securities' internal network or contained consumer Nonpublic Information" (NPI). Based on the consent order, the third-party applications used by National Securities include cloud-based applications accessible to National Securities employees and independent contractors. The consent order raises the issue of whether multi-factor authentication is expected for all third party cloud-based applications containing NPI or only for such applications which also access the licensee's internal network (consistent with the Cybersecurity Regulation § 500.12(b)).

The consent order notes other failures by the insurer under the Cybersecurity Regulation alleging that:

  • National Securities experienced two cyber events in 2018 and 2019 in which threat actors accessed the email account of the Chief Financial Officer and accessed an employee's "secure document management system" associated with tax software. Although National Securities notified numerous regulatory and enforcement authorities, the NYDFS alleges that it failed to receive proper notification.
  • National Securities certified compliance with the Cybersecurity Regulation for the 2018 calendar year on January 23, 2019. In light of the failures alleged elsewhere, the NYDFS maintains that this certification was false at the time of certification.

In addition to payment of the $3M civil monetary penalty, the consent order also requires substantial remediation, including submissions of the following to the NYDFS within 120 days:

  • A comprehensive written cybersecurity incident response plan
  • A comprehensive "Cybersecurity Risk Assessment"
  • "risk-based policies, procedures and controls designed to: (a) monitor the activity of Authorized Users and (b) detect unauthorized access or use of, or tampering with, NPI by such Authorized Users" and
  • Cybersecurity training materials for all personnel, as "updated to reflect risks" from the risk assessment.

As with a prior recent settlement reported by the NYDFS, the Consent Order also requires "full cooperation" from National Securities with the NYDFS regarding the terms of the Consent Order. The NYDFS notes and acknowledges National Securities' "commendable cooperation" with the investigation and efforts to remediate identified issues, including devoting significant financial resources to enhance cybersecurity.

Originally published April 16, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.