$1.8 million penalty issued to financial services firms, signaling increased enforcement of NYDFS cybersecurity regulations

In April 2021, the New York Department of Financial Services (NYDFS) announced it levied a fine against First Unum Life Insurance Company and Paul Revere Life Insurance Company for violations of NYDFS’s Cybersecurity Regulations. The companies are subject to a $1.8 million penalty for failure to comply.

According to the announcement, First Unum and Paul Revere experienced phishing attacks in 2018 and 2019 that compromised the email accounts of several employees — employees who had access to a significant amount of personal and sensitive customer data.

A subsequent investigation found the companies hadn’t implemented multi-factor authentication (MFA) or reasonably equivalent access controls. Moreover, the companies falsely certified compliance with the regulations in 2018 when MFA was not fully implemented.

This is just one of several recent NYDFS enforcement actions under the regulations, including a $3 million penalty against National Securities Corporation and $1.5 million against Residential Mortgage Services.

Be aware the effective date for these regulations is well past. If your organization hasn’t already been taking these rules seriously, it’s time to act — because the regulators certainly are.

Far-reaching cybersecurity regulation

New York’s cybersecurity regulation is probably the nation’s most comprehensive (some will say “onerous”) cybersecurity regulation directed at the financial services industry.

The rules, Cybersecurity Requirements for Financial Services Companies, became effective on March 1, 2017, with a transition period for select requirements; full compliance was expected as of March 1, 2019.

The regulations require all covered entities to adopt a cybersecurity program and meet a minimum cybersecurity standard to protect confidentiality, integrity and availability of a covered entity’s information systems.

Under the regulations, a cybersecurity program must perform six core functions: 

1. Identify and assess internal cybersecurity risks that threaten security of non-public information maintained by the institution
2. Implement defensive infrastructure, policies and procedures to protect information systems and nonpublic information from unauthorized access or malicious acts
3. Detect cybersecurity events
4. Respond to identified or detected cybersecurity events and mitigate negative effects
5. Recover from cybersecurity events and restore normal operations
6. Fulfill applicable regulatory reporting obligations

Covered entities were required to submit certification of compliance to the superintendent effective February 15, 2018. Further, covered entities need to provide the NYDFS superintendent with all documentation and information relevant to their cybersecurity program upon request.

Does this apply to your financial services firm? Probably.

Under the regulations, a covered entity is defined as those “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of New York. Generally, this would include any business selling a financial services product to customers who are residents of New York.

The following organizations can claim a limited exemption:

• Organizations employing fewer than 10 employees, including independent contractors
• Organizations with gross annual revenue from New York business operations of less than $5 million in each of the last three years
• Organizations with year-end total assets less than $10 million

Even if you meet the exemption, you are still subject to a variety of cybersecurity, risk assessment, access privileges and other requirements.

Your reminder to take action

NYDFS’s recent regulatory actions are a reminder to make sure your cybersecurity program is compliant. Businesses are advised to work with a qualified cybersecurity practitioner to verify your organization meets the following requirements:

• Cyber program and risk assessment
• Penetration testing and vulnerability assessments
• Audit trails
• Access privileges
• Application security
• Risk assessment
• Cybersecurity personnel and intelligence
• Third-party service provider security policy
• MFA
• Limitations on data retention
• Training and monitoring
• Encryption of nonpublic information
• Incident response plan
• Notification process

It’s important that you have an ongoing audit process to verify compliance and drive corrective action.

Seek expertise to complement your internal team and provide independent perspective on key areas such as CISO, risk assessment, penetration testing and MFA implementation.

Be sure your incident response plan is ready and activated when necessary. Organizations should test and update their plan to be sure they’re ready to respond — and defend their actions to the NYDFS — when an incident occurs. (Emphasis on when, not if.)

Covered entities should take recent NYDFS enforcement actions as a sign to take these regulations seriously. Be sure to investigate cybersecurity events, notify NYDFS when required and conduct ongoing risk assessments.

Wipfli can help

Recent NYDFS enforcement actions show just how much companies stand to lose for noncompliance.  Wipfli can help financial services firms meet regulatory expectations and protect their organization. Our cybersecurity specialists understand the regulatory landscape as well as the business constraints of the financial services industry.

To receive assistance, talk to your relationship manager or reach out to Wipfli’s cybersecurity team today.

Related content:

• Multifactor authentication: Why you need it now
• Cybercrime and your money: Banking on human error
• Fighting the wave of coronavirus phishing scams