Top 5 Takeaways from NYDFS $1.2 Million Fine in Cybersecurity Case

4 minute read | June.05.2023

On May 1, the New York Department of Financial Services (“NYDFS” or “Department”) and a trading platform entered into a consent order to resolve deficiencies identified during examinations conducted in 2018 and 2020. The consent order focused on multiple issues with the company’s cybersecurity program and included a $1.2 million civil monetary penalty. The company is a large cryptocurrency trading platform that falls under the purview of the NYDFS due to having a BitLicense, which allows the company to engage in virtual currency business activity in the State of New York. As a licensee, the company is a covered entity and must comply with both the Cybersecurity Regulations and the Virtual Currency Regulations.

The Takeaways

Through this enforcement investigation, the NYDFS continues to focus on cybersecurity. Covered entities consider the following:

Prioritizing periodic risk assessments as they are not optional. They are critical to the company’s development of an adequate and effective cybersecurity program that will help companies take steps to mitigate risk and protect sensitive data.
Tailoring policies and procedures to address the company’s risk and not having them merely as a formality. This goes back to the need to conduct adequate periodic risk assessments. Implementing accurate and well-written policies and procedures that are reviewed on a consistent basis.
Monitoring cybersecurity regulations on a regular basis in an effort to stay informed and further help compliance.
Developing incident response plans that outline the steps to be taken in the event a breach occurs.
Training and educating employees and contractors on cybersecurity policies and procedures and best practices.

The Details

The Cybersecurity Regulation requires a licensee to conduct a periodic risk assessment of its information systems that is sufficient enough to inform the design of the entity’s cybersecurity program and update such risk assessment as necessary to address changes to the entity’s information systems, nonpublic information, or business operations. In addition to conducting periodic assessment, a licensee must also establish and maintain an effective cybersecurity program that is in compliance with the Virtual Currency Regulation.

As a result of its investigations, the NYDFS had three main concerns: 1) the audit conducted by the company was too shallow in scope and not properly focused to comply with the requirement to conduct periodic risk assessment of its information systems; 2) the company failed to establish and maintain an adequate cybersecurity program; and 3) the company failed to implement a written cybersecurity policy.

The consent order and the size of the fine demonstrate the continued interest of NYDFS in prioritizing cybersecurity through its enforcement actions and the seriousness with which it will approach these issues. Notwithstanding extensive cooperation with the Department as described in the consent order, the NYDFS still chose to impose a substantial $1.2 million fine.

This outcome stresses the importance of developing and maintaining a strong cybersecurity program that includes periodic risk assessments and written policies and procedures. This requires collaboration among the security team, IT team, internal legal, compliance, and outside counsel partners to ensure that their cybersecurity programs and written documentation are compliant with current regulations, and that risk assessments are conducted—and conducted in depth enough—to satisfy regulator expectations.

Issue Summary

Periodic Risk Assessment. The NYDFS claimed that the company failed to conduct a comprehensive risk assessment and instead chose to rely on an IT audit performed by a related entity. Although the IT audit provided for policies and procedures it was still found to be inadequate as it did not provide the required visibility into the company’s cybersecurity risk. The NYDFS came to the conclusion that without knowledge of the company’s security risk, the company’s cybersecurity program was not designed to protect its systems and the data stored on those systems.
Cybersecurity Program. According to NYDFS, the company also failed to establish and maintain an effective cybersecurity program. Despite having some policies and procedures in place, the Department focused on the fact that the policies and procedures in place were not tailored to address the company’s needs and risks and had a host of other issues.
Written Cybersecurity Policy. The NYDFS alleged that the company failed to implement a written cybersecurity policy that set forth the company’s policies and procedures for the protection of its electronic systems and stored data. The NYDFS highlighted the numerous inaccuracies that were in the policies and procedures that the company did have in place. Lastly, the consent order discussed the lack of annual reviews and the failure to annually obtain board approval of its polices.

For more information about this consent order and its implications, please contact Edward Somers, Elizabeth McGinn, Alexis Murray, or an Orrick attorney with whom you have worked in the past.

Authors

Edward Somers Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Chicago

See my bio

D:+1 312 924 9835
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Edward Somers Partner

Chicago

Ted is a trusted advisor to the financial services industry in supervisory and enforcement matters before state and federal regulators, including the CFPB, and the DOJ. He also has significant experience guiding clients through enhancements to internal policies, practices, and customer-facing documentation to align with regulator expectations.

Prior to joining Orrick, Ted was a partner at Buckley LLP.

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

View Beth's webcasts & speaking engagements, news mentions and publications.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises companies and executives in connection to regulatory investigations, class actions, enforcement actions, and other disputes that frequently flow from privacy and cybersecurity incidents.

Joe helps clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly skilled at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on effective communications strategies. He draws on this experience to help companies proactively prepare for an incident through creative strategies that foster engagement and collaboration between legal, security, communications and leadership teams. This includes building and improving incident response programs through response plans, simulated incidents, threat workshops, and training. In addition, Joe assists clients in practically evaluating the legal risk of security decisions in a variety of transactions and across the product lifecycle.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit and Pro Bono Committees. A leader and advocate for diversity and inclusion initiatives, Joe is the co-head of Orrick’s Latinx Inclusion Network and was selected as a 2024 Rising Star by the Minority Corporate Counsel Association (MCCA). He was also named to Lawdragon's 2024 500 X Next Generation Rising Stars List and a member of the Washington Latino Bar Association and the Hispanic National Bar Association.