A recent $3 million cybersecurity consent order issued by the New York Department of Financial Services provides valuable lessons on how financial service firms—even those outside of New York—should ensure the security of their systems and communications tools, says Marc Gilman, general counsel of Theta Lake.
The New York Department of Financial Services (DFS) has been busy in 2021 with several cybersecurity-related matters. It introduced a cybersecurity insurance risk framework, issued a security alert about Microsoft Exchange, sent out another alert about fraud, and entered into a consent order with Residential Mortgage Services, Inc.
On April 14, the DFS announced another consent order with National Securities Corporation (NSC) for violations of 23 NYCRR 500, its cybersecurity regulation, with a significant fine of $3 million (twice that of Residential Mortgage). It included remedial actions, including submission of refined incident response plans, risk assessments, and training and monitoring materials—all worth examining for lessons for compliance and security practitioners.
The impact of the consent order goes beyond insurance and financial services organizations in New York. The DFS cybersecurity framework served as the basis for the NAIC’s model cybersecurity law, which is now active or proposed in roughly 20 states, and intersects with many of the common controls found in SOC 2, ISO 270001, and other security frameworks.
Even if your organization is not subject to the DFS regulation, take heed of the findings below.