NYDFS First Cybersecurity Enforcement Action

The New York State Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against a firm alleging deficient cybersecurity controls and other flaws in cybersecurity practices.

Failure to follow cybersecurity policies, neglect to conduct security risk assessment and failure to remedy security vulnerabilities presumably led to mass exposure of client NPI and subsequent pending charges for violation of cybersecurity regulations.

A hearing will be held at the office of the New York State Department of Financial Services beginning October 26, 2020 to determine violations of §§ 500.02, 500.03, 500.07, 500.09, 500.14 and 500.15 of Part 500 of Title 23 of the New York Codes, Rules, and Regulations.

Until 2017, cybersecurity for financial services was strongly recommended but remained optional. NYDFS cybersecurity regulation 23 NYCRR 500 became effective March 1, 2017 with a two-year implementation period.  Since the establishment of the Department’s “Cybersecurity Requirements for Financial Services Companies” this is the first evidence of enforcement.

In learning about NYDFS’ enforcement action, Brian Edelman, FCI CEO, remarked “We knew the day was coming that regulation compliance would mandate cybersecurity. FCI’s offering was consciously developed to serve as a complete cybersecurity solution that also meets the requirements of NYDFS regulations.”

For more information about NYDFS’ first enforcement action: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221