Critical Point in Recent NYS DFS Enforcement Actions

In the last post, it was noted that the NYS Department of Financial Services (“DFS”) was ramping up enforcement of its Cybersecurity Regulation as evidenced by two recently announced multi-million dollar settlements.¬† One of the reasons for the hefty penalties is that DFS determined a number of breaches that went unreported to DFS pursuant to the Cybersecurity Regulation.¬† In fact, it appears that one entity was subject to a much more severe penalty – over an additional $1.5 million dollars – primarily for its decision to not report certain breaches.

 

The penalty and enforcement action against National Securities Corporation (“NSC”) is illustrative.¬† ¬†On April 14, 2021, DFS announced a $3 million penalty against NSC.¬† See the DFS NSC¬† announcement here-¬†https://dfs.ny.gov/reports_and_publications/press_releases/pr202104141.¬†¬†In comparison, about four weeks later, DFS assessed a $1.2 million penalty (less than half of the NSC penalty) against¬†First Unum Life Insurance Company of America and Paul Revere Life Insurance Company (collectively “Paul Revere”).¬† ¬†See the DFS Paul Revere announcement here¬†–¬†https://dfs.ny.gov/reports_and_publications/press_releases/pr202105131.

 

A close inspection reveals that both NSC and Paul Revere were cited by DFS for breaches involving sensitive data coupled with the DFS determination that both companies¬†failed to implement Multi-Factor Authentication and¬†falsely certified compliance.¬†¬†However, only NSC was cited for the failure to report prior breaches.¬† ¬†As DFS emphasized, “The Department‚Äôs investigation uncovered evidence that National Securities had been the subject of four¬†cyber¬†breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the¬†Cybersecurity Regulation.”¬†¬†

 

In sum, it is critical¬†that a company properly assess suspected breaches to determine whether they are reportable pursuant to the Cybersecurity Regulation, especially in light of DFS’s increased enforcement.¬† Thus, in the next installment, we will¬†take a deeper look at the Cybersecurity Regulation and the criteria for reporting a breach to DFS.