4 minute read | June.05.2023
On May 1, the New York Department of Financial Services (“NYDFS” or “Department”) and a trading platform entered into a consent order to resolve deficiencies identified during examinations conducted in 2018 and 2020. The consent order focused on multiple issues with the company’s cybersecurity program and included a $1.2 million civil monetary penalty. The company is a large cryptocurrency trading platform that falls under the purview of the NYDFS due to having a BitLicense, which allows the company to engage in virtual currency business activity in the State of New York. As a licensee, the company is a covered entity and must comply with both the Cybersecurity Regulations and the Virtual Currency Regulations.
Through this enforcement investigation, the NYDFS continues to focus on cybersecurity. Covered entities consider the following:
The Cybersecurity Regulation requires a licensee to conduct a periodic risk assessment of its information systems that is sufficient enough to inform the design of the entity’s cybersecurity program and update such risk assessment as necessary to address changes to the entity’s information systems, nonpublic information, or business operations. In addition to conducting periodic assessment, a licensee must also establish and maintain an effective cybersecurity program that is in compliance with the Virtual Currency Regulation.
As a result of its investigations, the NYDFS had three main concerns: 1) the audit conducted by the company was too shallow in scope and not properly focused to comply with the requirement to conduct periodic risk assessment of its information systems; 2) the company failed to establish and maintain an adequate cybersecurity program; and 3) the company failed to implement a written cybersecurity policy.
The consent order and the size of the fine demonstrate the continued interest of NYDFS in prioritizing cybersecurity through its enforcement actions and the seriousness with which it will approach these issues. Notwithstanding extensive cooperation with the Department as described in the consent order, the NYDFS still chose to impose a substantial $1.2 million fine.
This outcome stresses the importance of developing and maintaining a strong cybersecurity program that includes periodic risk assessments and written policies and procedures. This requires collaboration among the security team, IT team, internal legal, compliance, and outside counsel partners to ensure that their cybersecurity programs and written documentation are compliant with current regulations, and that risk assessments are conducted—and conducted in depth enough—to satisfy regulator expectations.