On April 14, the New York State Department of Financial Services (NYDFS) and National Securities Corporation (National Securities) agreed to resolve the cybersecurity violations committed by National Securities that exposed a substantial amount of nonpublic personal data of its customers. NYDFS has been investigating the company for violation of the NYDFS Cybersecurity 23 NYCRR Part 500 (23 NYCRR Part 500).
The purpose of 23 NYCRR Part 500 is to protect financial services companies and their customers from ever-increasing cybersecurity threats. The regulation is applicable to banks, insurance companies, New York State-licensed branches and agencies of non-US banks, as well as other financial services companies supervised by the NYDFS.
NYDFS identified several regulation violations when investigating National Securities, including: (1) Lack of multifactor authentication (MFA) for all users in its email environment, leading to unauthorized access of email accounts; (2) Lack of MFA for all third-party applications that have access to nonpublic information (NPI); (3) Lack of timely notification of cyber events; and, (4) Incorrect certification of compliance with cybersecurity regulations.
The Cybersecurity Events that Led to Violations
During its investigation, NYDFS discovered the following cybersecurity events and related control weaknesses in the company’s environment, including:
Lack of MFA: National Securities reported two cybersecurity events to NYDFS. In the first, the company discovered that its Human Resources Department had received a suspicious email from an employee’s account requesting a change to the employee’s direct deposit accounts. In the second event, a broker of the company noticed an unauthorized transfer of funds from one of its client accounts. On further investigation, National Securities found that the broker’s email account was compromised. During both the instances, MFA was not implemented for the email accounts.
Lack of MFA for third-party applications: National Securities uses several third-party applications with access to the company’s internal NPI data. During its investigation, NYDFS found that National Securities had not implemented MFA for one of the applications.
Lack of timely notification of cyber events: NYDFS found that National Securities had not reported two cybersecurity events in addition to the two reported incidents mentioned above. In the first event, an unauthorized actor gained access to the chief financial officer’s email account, leading to potential exposure of NPI data. In the second event, an unauthorized actor gained access to an employee’s document management system account.
Incorrect certification of compliance with cybersecurity regulations: Despite the weaknesses in its control environment, National Securities filed a certification of compliance with the NYDFS during this time.
Remediation Requirements as per Settlement Provisions
As per the settlement with NYDFS, in addition to the monetary penalty of $3 million, based on 23 NYCRR Part 500, National Securities needs to submit: (a) Cybersecurity incident response plan; (b) Cybersecurity risk assessment of National Securities information systems; (c) Policies, procedures, and artifacts fulfilling the training and monitoring requirements within 120 days of the consent order.
What it Likely Means for Banking, Insurance, and other Financial Services Companies
The NYDFS is currently active in its supervision, examination, and enforcement of this cybersecurity regulation. The NYDFS cybersecurity requirements for financial services companies are not fundamentally different from many other cybersecurity regulations. While financial services organizations have cybersecurity programs in place today, their typical approach is either siloed in business lines or focused on specific regulations. However, a piecemeal approach focused solely on compliance requirements may increase the complexity of the program. A better and more efficient approach is to adopt a more holistic cybersecurity risk management framework that enables the organization to manage the conflicting objectives of leveraging its data to uncover new business opportunities, while protecting the data from external threats and maintaining regulatory compliance.
The four key components of a cybersecurity framework are: (a) Governance; (b) Risk Assessment and Mitigation; (c) Risk Monitoring; and, (d) Incident Management and Reporting.
Governance: Governance ensures that cybersecurity strategy is aligned with the business objectives and goals. The aim is to derive maximum benefit by optimizing the risk management activities within the resource constraints of the organization.
Risk Assessment and Mitigation: It is the process of identifying external threats and internal vulnerabilities as it relates to the organization’s information assets and creating countermeasures to mitigate the risks. The key is to define the risk appetite of the organization, which decides the overall approach toward risk management. As part of the process, the organization needs to evaluate and categorize risks and design effective controls to mitigate the identified risks.
Risk Monitoring: There are no alternatives to continuous monitoring and testing of the information technology environment. No matter how good the existing controls or countermeasures, there is always a possibility that existing controls may not be sufficient to address an emerging threat, or a new process within the organization may create a new vulnerability, thereby exposing the organization to new risk.
Incident Management and Reporting: The objective is to design a plan and related procedures to respond to and recover from any cybersecurity incident and communicate necessary information to both internal and external stakeholders. The growing sophistication of cyberattack makes it imperative for organizations to invest in robust response and recovery capabilities.