By Alma Angotti, Prasun Howli
On May 2, 2023, the New York State Department of Financial Services (NYDFS or the Department) and bitFlyer USA, Inc. (bitFlyer or the Company) agreed to resolve the cybersecurity violations committed by bitFlyer related to multiple deficiencies in its cybersecurity program pertaining to 23 New York Codes, Rules and Regulations (NYCRR) Part 2001 and 23 NYCRR Part 5002. bitFlyer is licensed by the NYDFS to engage in virtual currency business activity in New York State, pursuant to 23 NYCRR Part 200. The company is also registered with the U.S. Treasury’s Financial Crimes Enforcement Network as a money service business. 23 NYCRR Part 200 is applicable to virtual currency institutions, New York State-licensed branches and agencies of non-U.S. virtual currency institutions, as well as other virtual currency companies supervised by the NYDFS. The purpose of the 23 NYCRR Part 500 cybersecurity regulation is applicable to banks, insurance companies, New York State-licensed branches and agencies of non-U.S. banks, and all other financial services companies that are supervised by the NYDFS. Through its examination of bitFlyer, NYDFS identified several deficiencies, including failure to establish and maintain an effective cybersecurity program due to lack of comprehensive cybersecurity risk assessment, and lack of written cybersecurity policy and procedures.
During its investigation, NYDFS discovered the following cybersecurity weaknesses in bitFlyer’s environment, including:
Lack of periodic risk assessment — The Department discovered that bitFlyer had not performed periodic cybersecurity risk assessment, but instead the company relied upon an IT audit performed by bitFlyer Japan to fulfill the requirements of NYDFS cybersecurity regulation. Additionally, NYDFS stated in its order that an IT audit cannot be a substitute for cybersecurity risk assessment as an IT audit does not provide visibility into organization’s cybersecurity risks. Periodic risk assessment is a key requirement of 23 NYCRR 500, which requires organizations to identify existing and new risks and also assess the adequacy of the existing controls to mitigate the identified risks. As the cybersecurity program designed by bitFlyer is not informed by a comprehensive cybersecurity risk assessment outcome, hence the Department concluded that the program is not adequately designed to protect the confidentiality, integrity, and availability of information and related IT systems
Lack of a documented cybersecurity policy — NYDFS found that bitFlyer had not developed a tailored information security policy and procedures to meet the need of the organization. The policy included several material errors, including omission of governance and the organization’s structure, reference entities, and groups. Additionally, the department noted that the policy and procedures were poorly translated from the Japanese originals. Also, the policies and procedures were not reviewed annually and were not approved by the board
As per the settlement, the company will pay a civil monetary penalty in the amount of one million, two hundred thousand dollars ($1,200,000.00). Additionally, bitFlyer will implement the remediation plan related to the compliance program that the company developed during the course of the investigation and was subsequently approved by the department. bitFlyer will provide progress reports of the remediation plan to the department on a quarterly basis.
The purpose of the Cybersecurity 23 NYCRR Part 500 is to protect financial services companies and their customers from ever-growing cybersecurity threats. The rule requires that each entity assess its cybersecurity risk profile and develop a robust program to address cyber risks. The key components of the regulations include:
Cybersecurity Program — Develop and maintain a cybersecurity program to protect the confidentiality, integrity, and availability of the information, based on a risk assessment of the covered entity.
Cybersecurity Policy — Implement and maintain written policies, approved by a senior officer or a board of directors, for the protection of its information systems and nonpublic information
Chief Information Security Officer — Designate a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy
Penetration Testing and Vulnerability Assessments — Design monitoring and testing program based on the risk assessment outcome and perform annual penetration testing and bi-annual vulnerability assessments
Risk Assessment — Conduct periodic risk assessment to identify gaps and update the cybersecurity program to meet the evolving needs of the organization due to changes in business processes, technology, and/or operations
Access Privileges and Multi-Factor Authentication — Limit access to the non-public information and use multifactor authentication wherever applicable.
Training and Monitoring: Monitor the activity of authorized users and detect unauthorized access or use of nonpublic information by authorized users and conduct regular cybersecurity awareness training to all personnel
Third-Party Service Provider Security Policy — Design, document, and implement third-party risk management policies and procedures to ensure data security related to third-party service providers
In addition, the regulation includes requirements related to application security, cybersecurity personnel, encryption, incident response plan, audit trail, and data retention.
In today’s world, cybersecurity has become more important than ever. The growth of fintech organizations and digital technologies are introducing new challenges. With the advent of blockchain, AI, big data, and cloud infrastructure, the complexity of managing cybersecurity risks will only increase. And we expect to see new regulations and more enforcement actions as the regulators seek to outmaneuver the cybersecurity threats.
Guidehouse has assisted many clients across various industry sectors and geographies with assessing their cybersecurity risk and operationalizing their compliance with U.S. and international regulations.
1 New York State Department of Financial Services 23 NYCRR 200 - Contains regulations relating to the conduct of business involving virtual currency.
2 New York State Department of Financial Services 23 NYCRR 500 - Cybersecurity requirements for financial services companies.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for those navigating the global energy transformation.