By Kathryn Rock, Prasun Howli
On April 14, the New York State Department of Financial Services (NYDFS) and National Securities Corporation (National Securities) agreed to resolve the cybersecurity violations committed by National Securities that exposed a substantial amount of nonpublic personal data of its customers. NYDFS has been investigating the company for violation of the NYDFS Cybersecurity 23 NYCRR Part 500 (23 NYCRR Part 500).
The purpose of 23 NYCRR Part 500 is to protect financial services companies and their customers from ever-increasing cybersecurity threats. The regulation is applicable to banks, insurance companies, New York State-licensed branches and agencies of non-US banks, as well as other financial services companies supervised by the NYDFS.
NYDFS identified several regulation violations when investigating National Securities, including: (1) Lack of multifactor authentication (MFA) for all users in its email environment, leading to unauthorized access of email accounts; (2) Lack of MFA for all third-party applications that have access to nonpublic information (NPI); (3) Lack of timely notification of cyber events; and, (4) Incorrect certification of compliance with cybersecurity regulations.
During its investigation, NYDFS discovered the following cybersecurity events and related control weaknesses in the company’s environment, including:
As per the settlement with NYDFS, in addition to the monetary penalty of $3 million, based on 23 NYCRR Part 500, National Securities needs to submit: (a) Cybersecurity incident response plan; (b) Cybersecurity risk assessment of National Securities information systems; (c) Policies, procedures, and artifacts fulfilling the training and monitoring requirements within 120 days of the consent order.
The NYDFS is currently active in its supervision, examination, and enforcement of this cybersecurity regulation. The NYDFS cybersecurity requirements for financial services companies are not fundamentally different from many other cybersecurity regulations. While financial services organizations have cybersecurity programs in place today, their typical approach is either siloed in business lines or focused on specific regulations. However, a piecemeal approach focused solely on compliance requirements may increase the complexity of the program. A better and more efficient approach is to adopt a more holistic cybersecurity risk management framework that enables the organization to manage the conflicting objectives of leveraging its data to uncover new business opportunities, while protecting the data from external threats and maintaining regulatory compliance.
The four key components of a cybersecurity framework are: (a) Governance; (b) Risk Assessment and Mitigation; (c) Risk Monitoring; and, (d) Incident Management and Reporting.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.