On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.
NYDFS Cybersecurity Regulation
Readers may recall that NYDFS’ cybersecurity regulation went into effect in March of 2017. Among its requirements, the regulation states that each financial services licensee must implement multi-factor authentication (MFA) or else implement “reasonably equivalent or more secure access controls” that are approved in writing by the licensee’s Chief Information Security Officer (CISO). The regulation requires that a licensee report a cybersecurity event to NYDFS within 72 hours of its determination of the event. Finally, the regulation includes an annual certification of compliance, to be filed with NYDFS. If a licensee is unable to certify compliance with all applicable requirements, NYDFS has stated that the licensee may not submit a certification (FAQ 33).
According to the consent order, the matter began when NSC reported a cybersecurity event to NYDFS on October 23, 2019. On September 18, 2019, an NSC Human Resources representative received a suspicious email from an employee claiming to need assistance with a change to the employee’s direct deposit. NSC’s investigation revealed that the unauthorized access to the employee’s MS O365 account occurred between September 13 and September 18, likely through phishing. NSC notified the potentially impacted customers, changed their account credentials, and provided credit monitoring. Unfortunately, NSC had not implemented MFA, but it had certified it was in compliance with the cybersecurity regulation for 2018 when it filed with NYDFS on January 23, 2019.
NSC reported a second cybersecurity event to NYDFS on May 12, 2020. This time, an independent contractor (broker) at an NSC affiliate noticed a potential $200,000 transfer of funds from a client account that appeared to be unauthorized. The broker notified his manager, and two additional unauthorized transfers of the same amount were discovered. The affiliate’s help desk supervisor found forwarding rules on the broker’s O365 email account from April 15 through April 30, and again found phishing was the likely source. The affiliate refunded the unauthorized transfers to the customers, but suffered a $400,000 loss. NSC contacted the affected customers whose personal information was potentially affected, changed their account credentials, and provided credit monitoring. Although the affiliate’s employee accounts had enabled MFA, the independent contractors had not been migrated to MFA at the time. NYDFS noted that NSC did not have alternate controls in place that the CISO had approved in writing.
NYDFS also pointed out that NSC used more than 60 third party applications containing personal information and had not implemented MFA for all of them, even as of the date of the consent order.
NYDFS investigated NSC’s cybersecurity program and discovered two additional cybersecurity events that NSC had not reported to NYDFS. The first event occurred in April of 2018, when the CFO clicked on a phishing email, which enabled the threat actor to gain access to the CFO’s account and set a forwarding rule to an external account. Although NSC notified the individuals and 3 states’ attorneys general (Massachusetts, New Jersey and New York), it did not notify NYDFS.
The second incident occurred in March of 2019. A threat actor gained access to an employee’s document management system account. NSC learned that the threat actor likely gained access through a phishing email. NSC notified the individuals, and the SEC, FBI, and County Sheriff’s Office, but did not notify NYDFS.
The Consent Order
NSC agreed to pay NYDFS $3 million as a civil monetary penalty. NYDFS acknowledged NSC’s “commendable cooperation” and “ongoing efforts to remediate the shortcomings.” In addition, NSC agreed to continue to strengthen its controls, including delivering the following documentation within 120 days to NYDFS:
- Comprehensive written cybersecurity incident response plan;
- Comprehensive cybersecurity risk assessment; and
- Training and monitoring materials.
Note that the consent order expressly provides that it does not prevent the company from using any defense to any action by any federal or state agency or any private action.