The New York Department of Financial Services (NYDFS) has settled alleged violations of the Department’s strict cybersecurity regulations with National Securities Corp. (NSC) for $3 million, regarding four separate cybersecurity events suffered by it and its affiliate National Asset Management, Inc. (NAM) between April 3, 2018 and April 30, 2020.

The Consent Order reports that the “First Cyber Event” happened on September 13, 2019 “when a Human Resources representative received a suspicious email from an employee requesting assistance with a change to the employee’s direct deposit.” The HR representative reached out to the employee by telephone and confirmed that the request was not legitimate. However, the employee’s email account had been compromised through a phishing scheme and affected customers were notified. At the time, NYDFS noted that NSC did not have multi-factor authentication (MFA) implemented, which was required by the cybersecurity regulations.

A second cyber event occurred on April 30, 2020, when a broker of the firm noticed “a potential unauthorized transfer of funds from a client account in the amount of $200,000.” After review, two additional unauthorized transfers from client accounts were discovered. It was also found that forwarding rules were set up from the broker’s account. Although the customers were refunded the amounts that were transferred without authorization (presumably to a cyber-criminal), NAM “did suffer a resulting loss of $400,000.”

During the compromise of the broker’s account, NSC contacted affected individuals, changed their account credentials, and provided them with credit monitoring. At the time of the second cyber event, the brokers had not yet implemented MFA, which was not completed until August 14, 2020.

The Consent Order is a roadmap of NYDFS’ cybersecurity regulations and the requirements that must be met. The Consent Order states: “[P]ursuant to Section 500.12(b) of the Cybersecurity Regulation, MFA must be utilized for any individuals accessing a Covered Entity’s internal network from an external network. This requirement applies to third-party applications, including email platforms such as O365, that access a Covered Entity’s internal network. Section 500.12(b) became effective on March 1, 2018.” NYDFS found that as of that date, NSC did not have MFA implemented in compliance with the regulations. According to the Consent Order, “[D]uring the period between the effective date of Section 500.12(b) and the date MFA was fully implemented on National Securities’ email environment, National Securities did not have controls designed to protect the O365 environment.”

During the investigation, it was discovered that NSC “was the victim of two additional Cybersecurity Events, which were not reported to the Department as promptly as possible and no later than 72 hours of their occurrence, as is required by 23 NYCRR § 500.17(a).” One included a phishing incident that occurred on April 3, 2018, and another occurred on March 6, 2019, when a document management systems account that was part of NSC’s tax software program was compromised during a phishing scheme. Although NSC notified affected individuals of the incidents, NSC did not report the incident to NYDFS per the cybersecurity regulations. NYDFS stated that although NSC certified that it was in compliance with the regulations when it filed its annual report in 2019, it was not in compliance for the 2018 calendar year, and therefore the certificate of compliance with the regulations during that year “was false.”

The settlement includes a $3 million civil monetary payment, which NSC cannot deduct or credit, nor can it obtain reimbursement from its insurance policy; a requirement to “strengthen its controls to protect its cybersecurity systems and the private data of consumers;” and a requirement to implement a “comprehensive written Cybersecurity Incident Response Plan.”

NYDFS gave NSC special mention for its “commendable cooperation throughout this investigation” and “credits National Securities’ ongoing efforts to remediate the shortcomings identified in this Consent Order.”

If you are subject to the NYDFS Cybersecurity Regulations, the Consent Order is a worthwhile read for guidance. It can be accessed here.