On April 14, 2021, the New York Department of Financial Services
("NYDFS") announced a settlement with National
Securities Corporation ("National Securities"), a
licensed insurer, in connection with claims under the NYDFS
Cybersecurity Regulation (23 NYCRR Part 500). The consent order requires payment of a $3M
penalty and mandatory remediation in response to alleged failures
to properly implement multi-factor authentication, provide notice
to NYDFS of two cybersecurity events reported to other regulators
in 2018 and 2019, and for falsely certifying compliance for the
calendar year 2018.
The consent order demonstrates continued active enforcement of
the Cybersecurity Regulation by the NYDFS. The $3M penalty is the
largest published assessment to date for alleged violations of the
Cybersecurity Regulation. The consent order follows a $1.5M
assessment in a separate matter announced last month. It is the second order (in a
relatively short period of time) that specifically targets
undisclosed prior security incidents. The consent order is the
first announced order to specifically fault a licensee for a false
annual certification (in this case, for a certification relating to
the 2018 calendar year). Thus, the consent order highlights the
NYDFS's continued strong interest in assessing past as well as
current-state compliance with the Cybersecurity Regulation.
The consent order also addresses the NYDFS's interpretation
of multi-factor authentication requirements under the Cybersecurity
Regulation. National Securities is faulted for failing to fully
implement multi-factor authentication (or maintain equivalent
controls approved by the Chief Information Security Officer) with
respect to third-party applications "which accessed National
Securities' internal network or contained consumer Nonpublic
Information" (NPI). Based on the consent order, the
third-party applications used by National Securities include
cloud-based applications accessible to National Securities
employees and independent contractors. The consent order raises the
issue of whether multi-factor authentication is expected for
all third party cloud-based applications containing NPI or
only for such applications which also access the
licensee's internal network (consistent with the Cybersecurity
Regulation § 500.12(b)).
The consent order notes other failures by the insurer under the
Cybersecurity Regulation alleging that:
- National Securities experienced two cyber events in 2018 and
2019 in which threat actors accessed the email account of the Chief
Financial Officer and accessed an employee's "secure
document management system" associated with tax software.
Although National Securities notified numerous regulatory and
enforcement authorities, the NYDFS alleges that it failed to
receive proper notification. - National Securities certified compliance with the Cybersecurity
Regulation for the 2018 calendar year on January 23, 2019. In light
of the failures alleged elsewhere, the NYDFS maintains that this
certification was false at the time of certification.
In addition to payment of the $3M civil monetary penalty, the
consent order also requires substantial remediation, including
submissions of the following to the NYDFS within 120 days:
- A comprehensive written cybersecurity incident response
plan - A comprehensive "Cybersecurity Risk Assessment"
- "risk-based policies, procedures and controls designed to:
(a) monitor the activity of Authorized Users and (b) detect
unauthorized access or use of, or tampering with, NPI by such
Authorized Users" and - Cybersecurity training materials for all personnel, as
"updated to reflect risks" from the risk assessment.
As with a prior recent settlement reported by the NYDFS, the
Consent Order also requires "full cooperation" from
National Securities with the NYDFS regarding the terms of the
Consent Order. The NYDFS notes and acknowledges National
Securities' "commendable cooperation" with the
investigation and efforts to remediate identified issues, including
devoting significant financial resources to enhance
cybersecurity.
Originally published April 16, 2021
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss