On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda.  The charges against First American Title Insurance Company are pending with an August 16 hearing date, and last month, the DFS reached its first full cybersecurity resolution with Residential Mortgage Services.

The resolution—the first on the insurance side of the DFS house—cites National Securities for several violations of the DFS Part 500 Cybersecurity Regulation (“Part 500”), including:

  • Failure to implement multifactor authentication (“MFA”), or a reasonably equivalent security control, for accessing National Securities’ email environment, leading to four breaches;
  • Failure to notify the DFS of two of the cybersecurity events; and
  • Falsely certifying compliance with Part 500.

In addition to the $3 million fine, National Securities must undertake various risk-mitigation measures in an effort to prevent future incidents.

National Securities’ Reported Cybersecurity Events

National Securities is headquartered in New York and is licensed by the DFS to sell insurance, making it subject to Part 500. National Securities experienced two cybersecurity events that it reported to the DFS:

  • In September 2019, National Securities discovered that an employee’s email account, which lacked MFA or alternative controls as required by Part 500, had been compromised by what was likely a phishing scheme. This likely resulted in unauthorized access to certain customers’ nonpublic information.
  • In April 2020, National Securities discovered that the email account of a broker at one of National Securities’ affiliates, which did not have MFA enabled, was successfully phished. Ultimately, National Securities determined that $400,000 of client funds were taken. The incident also potentially impacted some customers’ nonpublic information.

National Securities’ Unreported Cybersecurity Events

During its investigation into National Securities’ cybersecurity program, the DFS became aware of two cyber incidents that National Securities had not reported to the DFS promptly:

  • In April 2018, National Securities learned that a threat actor had set up an automatic forwarding rule on its CFO’s email account, potentially exposing customers’ nonpublic information. Although National Securities notified the Attorneys General of New York and several other states, National Securities failed to notify the DFS of that event.
  • In March 2019, National Securities discovered a phishing scheme that granted an unauthorized threat actor access to an employee’s secure document management system account. Again, although National Securities notified several federal agencies and local law enforcement, it did not notify the DFS.

Because of the violations mentioned above, the DFS also determined that National Securities falsely certified compliance with the MFA and breach notification requirements of Part 500.

Terms of the Settlement

In assessing the $3 million penalty, the DFS considered National Securities’ cooperation, its ongoing efforts to remediate cybersecurity shortcomings, and its commitment to devote significant financial resources to enhance the company’s cybersecurity program. The other terms of the settlement include submission of the following to the DFS within 120 days:

  • A comprehensive cybersecurity incident response plan;
  • A cybersecurity risk assessment; and
  • Training and monitoring documents demonstrating risk-based policies and procedures for monitoring users’ activity and identifying unauthorized access, and updated training based on the findings of the risk assessment.

Key Takeaways

  1. The Need for MFA or Equivalent Approved by the CISO: Entities subject to Part 500 must implement MFA for all individuals who access the entity’s internal networks from an external network, which includes contractors with remote access that is similar to employee access. National Securities appears to have implemented access controls designed to reduce the risks associated with some of its MFA gaps, but the DFS viewed those measures as insufficient. In the absence of MFA, such compensating controls can only satisfy the Section 500.12 requirements if the CISO has approved them, in writing, as providing reasonably equivalent protection.
  2. The Need to Notify the DFS Whenever Other Regulators Are Required to be Notified of a Cybersecurity Event: Section 500.17(a)(1) of Part 500 provides that notification to the DFS is mandatory whenever a cybersecurity event (i) impacts a DFS-regulated entity, and (ii) notice of that event is required to be provided to any government body, self regulatory agency, or other supervisory body.
  3. Dealing Effectively with Obligations Around Third-Party Applications and Personnel: The DFS notes that there is an obligation under Part 500 to implement MFA for third-party applications, indicating that even as of the date of the Consent Order, National Securities had not fully met that obligation. The Consent Order also calls out National Securities for implementing MFA for certain employee users, while taking an additional year to do the same for independent contractors with access to its internal network.
  4. The DFS Views Certifications as Requiring Full Compliance: The Consent Order provides that because of the MFA and breach notification failures, National Securities’ annual certification of compliance to the DFS was false, and that was considered a separate violation of Part 500.

Conclusion

This Consent Order underscores the importance with which the DFS views Part 500’s access-control requirements. The DFS is also making clear that, absent a compensating control, MFA is required for everyone who remotely accesses the network—employees and third parties alike. Regulated entities should carefully review their network access controls to ensure they have implemented MFA for anyone who can remotely access their network, or that any compensating control has been approved by the CISO, in writing, as providing equivalent protection.

The DFS also makes clear that it expects full compliance with the Part 500.17(a) requirement to provide notice to the DFS when other regulators are being notified about a cybersecurity event. Regulated entities should review their incident response plans and playbooks to ensure that they are taking the Part 500.17(a) follow-on notice requirement—and its quick 72-hour window—into consideration when evaluating notification obligations. Even regulated entities that otherwise comply with their state or federal breach-notification obligations can be subject to an enforcement action for failure to notify the DFS as required.

* * *

Debevoise has developed the Debevoise Data Portal, an online tool to help companies quickly assess their federal, state and international breach-notification obligations resulting from a cyber incident. Please contact us at dataportal@debevoise.com for more information.

To subscribe to the Data Blog, please click here.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Christopher S. Ford is an associate in Debevoise's Litigation Department who is a member of the firm’s Intellectual Property Litigation group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.

Author

Parker Eudy is an associate in the Debevoise Litigation Department. He can be reached at pceudy@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.