Skip to main content

A recent $3 million cybersecurity consent order issued by the New York Department of Financial Services provides valuable lessons on how financial service firms—even those outside of New York—should ensure the security of their systems and communications tools, says Marc Gilman, general counsel of Theta Lake.

The New York Department of Financial Services (DFS) has been busy in 2021 with several cybersecurity-related matters. It introduced a cybersecurity insurance risk framework, issued a security alert about Microsoft Exchange, sent out another alert about fraud, and entered into a consent order with Residential Mortgage Services, Inc.

On April 14, the DFS announced another consent order with National Securities Corporation (NSC) for violations of 23 NYCRR 500, its cybersecurity regulation, with a significant fine of $3 million (twice that of Residential Mortgage). It included remedial actions, including submission of refined incident response plans, risk assessments, and training and monitoring materials—all worth examining for lessons for compliance and security practitioners.

The impact of the consent order goes beyond insurance and financial services organizations in New York. The DFS cybersecurity framework served as the basis for the NAIC’s model cybersecurity law, which is now active or proposed in roughly 20 states, and intersects with many of the common controls found in SOC 2, ISO 270001, and other security frameworks.

Even if your organization is not subject to the DFS regulation, take heed of the findings below.



1200px Bloomberg Law Logo.svgRead the Full Article.

Marc Gilman

Author Marc Gilman

Marc brings a wealth of experience to the Theta Lake team, where he advises on technology, privacy, and product strategy. Marc is also an adjunct professor at Fordham Law where he teaches a course on compliance, technology, and financial services. Prior to joining Theta Lake, Marc held legal and compliance roles at Morgan Stanley and was a litigation associate at Schiff Hardin LLP. Gilman is a certified information privacy professional with both the CIPP/E and CIPP/US credentials.

More posts by Marc Gilman