InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS reaches $4.5 million settlement over cybersecurity violations
On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a bad actor gained access to a shared email mailbox in 2020 via a phishing attack. This mailbox, NYDFS said, allegedly contained more than six years’ worth of consumer NPI. An NYDFS investigation found that the company allegedly, among other things, failed to implement multi-factor authentication throughout its email environment, did not limit user access privileges (thus allowing nine employees to share login credentials to the compromised mailbox), and failed to implement sufficient data retention and disposal procedures. NYDFS asserted that the cybersecurity event may have been avoided or limited in scope if these security controls had been implemented. Furthermore, the company’s alleged failure to conduct an adequate risk assessment as required by 23 NYCRR Part 500, prevented it from being able to identify the user access privilege and data disposal risks associated with the mailbox that was impacted by the phishing attack. Consequently, the company’s cybersecurity certifications for calendar years 2018 - 2021 were improper, NYDFS said.
Under the terms of the consent order, the company is required to pay a $4.5 million civil money penalty and must conduct a comprehensive cybersecurity risk assessment of its information systems. NYDFS recognized the company’s cooperation throughout the investigation and commended its ongoing and completed remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program” and making “changes to its policies, procedures, systems, and governance structures.”
New York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.
The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.
Comments on the proposed amendments are due August 18.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
NYDFS imposes $5 million fine against cruise line for cybersecurity violations
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
NYDFS releases stablecoin guidance
On June 8, NYDFS released new regulatory guidance on the issuance of U.S. dollar-backed stablecoins, establishing criteria for regulated virtual currency companies seeking to issue stablecoins in the state. The guidance outlines baseline criteria for USD-backed stablecoins, including that: (i) a “stablecoin must be fully backed by a Reserve of assets,” such that the Reserve’s market value “is at least equal to the nominal value of all outstanding units of the stablecoin as of the end of each business day”; (ii) stablecoin issuers “must adopt clear, conspicuous redemption policies, approved in advance by [NYDFS] in writing, that confer on any lawful holder of the stablecoin a right to redeem units of the stablecoin from the Issuer in a timely fashion at par for the U.S. dollar”; (iii) Reserve assets must be segregated from an issuer’s proprietary assets and “held in custody with U.S. state or federally chartered depository institutions and/or asset custodians”; (iv) a Reserve must consist of specific assets subject to NYDFS-approved overcollateralization requirements and restrictions; and (v) a Reserve must undergo an examination of its management’s assertions at least once a month by a licensed certified public accountant.
NYDFS emphasized that these criteria are not the only requirements it may impose when issuing stablecoins, and informed regulated entities that it will also consider a range of potential risks prior to granting a regulated entity authorization to issue stablecoins. This includes risk related to “cybersecurity and information technology; network design and maintenance and related technology and operational considerations; Bank Secrecy Act/anti-money-laundering [] and sanctions compliance; consumer protection; safety and soundness of the issuing entity; and the stability/integrity of the payment system, as applicable.” Additional requirements may be imposed on regulated entities to address any of these risks.
NYDFS noted that the regulatory guidance is not applicable to USD-backed stablecoins listed, but not issued, by regulated entities, and stated it “does expect regulated entities that list USD-backed stablecoins to consider this guidance when submitting a request for coin issuance or seeking approval for a coin self-certification policy.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
DFPI reminds financial institutions of their sanctions compliance obligations
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited from participating in financial transactions with individuals and entities listed on the SDN List, and encouraged to review specific, more limited sanctions that have been placed on several Russian entities. This information can be found on OFAC's website.
Additionally, licensees are strongly encouraged to immediately ensure their systems, programs, and processes comply with OFAC regulations, and review and monitor all transactions (particularly trade finance transactions and funds transfers) to identify and block transactions subject to sanctions. Licensees should also follow OFAC directions related to blocked funds.
DFPI further warned that Russia’s invasion of Ukraine increases the risk that listed individuals and entities will attempt to evade sanctions by using virtual currency transfers, and encouraged licensees to review OFAC Guidance to protect against these risks. Licensees engaged in transactions involving virtual currencies are instructed to implement policies, procedures, and processes to protect against the unique risks posed by virtual currencies and should “consider virtual currency-specific control measures including sanctions lists, geographic screening, and any other measures appropriate to the licensee’s specific risk profile.”
Additionally, DFPI cautioned that the “Russian invasion significantly elevates the cyber risk for the U.S. financial sector,” and licensees are instructed to take measures to mitigate cybersecurity threats, including adopting core cybersecurity hygiene measures, eliminating any non-essential networking protocols, ensuring procedures are able to address a ransomware attack, and reevaluating “plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages.” Licensees are encouraged to track alerts from the Cybersecurity and Infrastructure Security Agency.
Licensees conducting business in Ukraine and/or Russia should also “take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “segregate networks for Ukrainian or Russian offices from the global network.”
NYDFS also recently issued similar guidance for New York state regulated entities on its cybersecurity and virtual currency regulations in response to the Russian invasion and recently imposed sanctions. (Covered by a Buckley Special Alert.)
NYDFS will take expedited measures to enforce Russian sanctions
On March 2, New York Governor Kathy Hochul announced that NYDFS will increase its sanctions enforcement actions against Russia, including taking measures to expedite the procurement of blockchain analytics tools to detect exposure among regulated licensed virtual currency businesses to Russian individuals, banks, and other entities sanctioned by the Biden administration. “Accelerating the procurement process is a critical step to strengthen the Department's ability to enforce anti-money laundering and Bank Secrecy Act laws in this immediate crisis and beyond,” the announcement stated, explaining that “[l]everaging purpose-built technologies and service providers for virtual currency protects the financial system from illicit activity including money laundering, terrorist financing and ransomware activity.” NYDFS Superintendent Adrienne A. Harris added that monitoring transactions and exposure in real-time is imperative for preventing actors from attempting to evade sanctions through the transmission of virtual currency. The announcement follows NYDFS guidance on cybersecurity and virtual currency issued last week, which raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine that could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure. (Covered by a Buckley Special Alert.) Governor Hochul also issued an Executive Order at the end of February, which directed all New York State agencies and authorities to review and divest public funds from Russia.
Special Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine, which could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure.
Updated cybersecurity regulation guidance
NYDFS suggested that regulated entities with programs pursuant to its cybersecurity regulation (23 NYCRR 500) have the potential to mitigate increased cyber threats and should take the following steps:
- Review cybersecurity programs for compliance, with particular attention to certain safeguards and core cybersecurity hygiene measures, including access control, vulnerability management, and privileged access review
- Review, update, and test incident-response and business-continuity plans and ensure they address ransomware events
- Review and implement practices pursuant to the June 2021 Ransomware Guidance
- Re-evaluate plans to maintain essential services and protect critical data in the event of an extended outage or service disruption
- Conduct a full test of backup and recovery abilities
- Provide additional cybersecurity awareness training and reminders for all employees
NYDFS also advised that regulated entities should keep track of known threat actors and take extra precautions when doing business in Russia and Ukraine, including segregating Russian and Ukrainian networks. Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR 500.17(a) as promptly as possible and within 72 hours, and should also report cybersecurity events immediately to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency.
Guidance in response to recent sanctions
In the last week, the Biden administration imposed significant new sanctions targeting Russian assets, the Russian financial market, and Russian business dealings in response to Russia’s invasion of Ukraine. (See InfoBytes coverage here.) NYDFS reiterated that regulated entities should fully comply with U.S. sanctions on Russia, as well as Part 504 of its regulations regarding transaction monitoring and filtering. In order to comply with the new sanctions, NYDFS recommended that regulated entities take the following steps immediately:
- Monitor all communications from NYDFS, the U.S. Department of the Treasury, the Office of Foreign Assets Control (OFAC), and other federal agencies on a real-time basis to keep tabs on the latest developments
- Modify transaction monitoring and filtering programs as necessary to capture new sanctions as they are proposed
- Monitor all transactions, particularly trade finance transactions and funds transfers, and identify and interdict transactions prohibited by U.S. sanctions.
- Update OFAC compliance policies and procedures on a continuous basis to incorporate the recent sanctions and any new sanctions that may be imposed.
Updated virtual currency regulation guidance
NYDFS also cautioned that sanctioned entities may attempt to use virtual currency to evade sanctions. It said regulated entities must ensure they have “tailored policies, procedures, and processes to protect against the unique risks that virtual currency present” and are complying with the relevant state and federal laws, including the OFAC Sanctions Compliance Guidance for the Virtual Currency Industry and New York virtual currency regulation (23 NYCRR 200). Additionally, regulated entities should monitor the effectiveness of virtual currency-specific control measures, including sanctions lists, geographic screening, geolocation tools/IP address identification and blocking capabilities, and transaction monitoring and investigative tools, including blockchain analytics tools.
Buckley will continue to monitor the ongoing situation in Ukraine and provide updates in conjunction with significant developments.
If you have any questions regarding the NYDFS guidance or the recent Ukraine-related sanctions against Russia, please visit our Privacy, Cyber Risk & Data Security or Bank Secrecy Act/Anti-Money Laundering & Sanctions practice pages, or contact a Buckley attorney with whom you have worked in the past.