InfoBytes Blog

NYDFS orders digital currency trading company to pay $8 million

On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.  

NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty. 

State Issues NYDFS Digital Currency Cyber Risk & Data Security Bank Secrecy Act Anti-Money Laundering Cryptocurrency OFAC Enforcement

NYDFS settles with title insurance company for $1 million

On November 27, the NYDFS entered into a consent order with a title insurance company, which required the company to pay $1 million for failing to maintain and implement an effective cybersecurity policy and correct a cybersecurity vulnerability. The vulnerability allowed members of the public to access others’ nonpublic information, including driver’s license numbers, social security numbers, and tax and banking information. The consent order indicates the title insurance company discovered the vulnerability as early as 2018. The title insurance company’s failure to correct these changes violated Section 500.7 of the Cybersecurity Regulation.

In May 2019, a cybersecurity journalist published an article on the existence of a vulnerability in the title insurance company’s application, that led to a public exposure of 885 million documents, some found through search engine results. The journalist noted that “replacing the document ID in the web page URL… allow[ed] access to other non-related sessions without authentication.” Following the cybersecurity journalist’s article, and as required by Section 500.17(a) of the Cybersecurity Regulation, the title insurance company notified NYDFS of its vulnerability, at which point NYDFS investigated further. The title insurance company has been ordered to pay the penalty no later than ten days after the effective date.

Privacy, Cyber Risk & Data Security State Issues Securities NYDFS Auto Insurance Enforcement

NYDFS introduces guidelines for coin-listing and delisting policies in virtual currency entities

On November 15, NYDFS announced new regulatory guidance which adopts new requirements for coin-listing and delisting policies of DFS-regulated virtual currency entities, updating its 2020 framework for each policy. After considering public comments, the new guidance aims to enhance standards for self-certification of coins and includes requirements for risk assessment, advance notification, and governance. It emphasizes stricter criteria for approving coins and mandates adherence to safety, soundness, and consumer protection principles. Virtual currency entities must comply with these guidelines, requiring DFS approval for coin-listing policies before self-certifying coins, and submitting detailed records for ongoing compliance review. The guidance also outlines procedures for delisting coins and necessitates virtual currency entities to have an approved coin-delisting policy.

As an example under coin listing policy framework, the letter states that a virtual currency entity risk assessment must be tailored to a virtual currency entity's business activity and can include factors such as (i) technical design and technology risk; (ii) market and liquidity risk; (iii) operational risk; (iv) cybersecurity risk; (v) illicit finance risk; (vi) legal risk; (vii) reputational risk; (viii) regulatory risk; (ix) conflicts of interest; and (x) consumer protection. Regarding consumer protection, NYDFS says that virtual currency entities must “ensure that all customers are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices.”

Similar to the listing policy framework, the letter provides a fulsome delisting policy framework. The letter also stated that all virtual currency entities must meet with the DFS by December 8 to preview their draft coin-delisting policies and that final policies must be submitted to DFS for approval by January 31, 2024.

State Issues Privacy Agency Rule-Making & Guidance Fintech Cryptocurrency Digital Assets NYDFS New York Consumer Protection

NYDFS publishes new proposal on cybersecurity regs

On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:

• New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
• Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
• Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
• Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”

The proposed second amendment is subject to a 45-day comment period expiring August 14.

Privacy, Cyber Risk & Data Security State Issues NYDFS 23 NYCRR Part 500 State Regulators

NYDFS circulates advisory on file transfers

On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).

Privacy, Cyber Risk & Data Security State Issues State Regulators NYDFS Department of Homeland Security 23 NYCRR Part 500 Consumer Protection Act

Crypto platform reaches $1.2 million settlement on alleged compliance failures

On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts. 

State Issues Digital Assets Privacy, Cyber Risk & Data Security State Regulators NYDFS New York Enforcement Cryptocurrency 23 NYCRR Part 200 23 NYCRR Part 500 Virtual Currency

NYDFS, crypto payment company reach AML/cybersecurity settlement

On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.

State Issues Digital Assets Privacy, Cyber Risk & Data Security State Regulators NYDFS Anti-Money Laundering Cryptocurrency Virtual Currency Payments Fintech Settlement 23 NYCRR Part 200 23 NYCRR Part 500 OFAC Risk Management

Crypto platform reaches $100 million settlement to resolve alleged compliance failures

On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.

In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.

Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”

State Issues Digital Assets NYDFS New York Enforcement Bank Secrecy Act Anti-Money Laundering Money Service / Money Transmitters Virtual Currency Cryptocurrency Customer Due Diligence Financial Crimes

NYDFS's Harris to serve as the state banking representative on the FSOC

On December 13, the Conference of State Bank Supervisors (CSBS) announced that NYDFS Superintendent Adrienne A. Harris will serve as the state banking representative on the Financial Stability Oversight Council (FSOC). According to the announcement, in 2013, Superintendent Harris joined the Obama Administration as a Senior Advisor in the U.S. Department of Treasury prior to being appointed as the Special Assistant to the President for Economic Policy. In this role, she managed the financial services portfolio, focusing on the implementation of Dodd-Frank, and developed strategies for financial reform, consumer protections, cybersecurity and housing finance reform. According to James M. Cooper, president and CEO of CSBS, Harris’s “background and experience at both the federal and state level will be an asset for the council as it manages emerging risk during a time of economic uncertainty.”

State Issues CSBS NYDFS New York FSOC

NYDFS amends cybersecurity regs

On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”

Some changes within the proposed amended regulation include:

• New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
• Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
  • The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
  • The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
  • The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
  • If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
• Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
• Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
• Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
• Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
  • Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory.  At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
  • Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
  • Multi-Factor Authentication:  The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
  • Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
• Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
• Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.

The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.

See continuing InfoBytes coverage on 23 NYCRR Part 500 here.

Privacy, Cyber Risk & Data Security Bank Regulatory Agency Rule-Making & Guidance State Issues New York NYDFS 23 NYCRR Part 500