On May 1, the New York Department of Financial Services (“NYDFS” or “Department”) and a trading platform entered into a consent order to resolve deficiencies identified during examinations conducted in 2018 and 2020. The consent order focused on multiple issues with the company’s cybersecurity program and included a $1.2 million civil monetary penalty. The company is a large cryptocurrency trading platform that falls under the purview of the NYDFS due to having a BitLicense, which allows the company to engage in virtual currency business activity in the State of New York. As a licensee, the company is a covered entity and must comply with both the Cybersecurity Regulations and the Virtual Currency Regulations.
Through this enforcement investigation, the NYDFS continues to focus on cybersecurity. Covered entities consider the following:
- Prioritizing periodic risk assessments as they are not optional. They are critical to the company’s development of an adequate and effective cybersecurity program that will help companies take steps to mitigate risk and protect sensitive data.
- Tailoring policies and procedures to address the company’s risk and not having them merely as a formality. This goes back to the need to conduct adequate periodic risk assessments. Implementing accurate and well-written policies and procedures that are reviewed on a consistent basis.
- Monitoring cybersecurity regulations on a regular basis in an effort to stay informed and further help compliance.
- Developing incident response plans that outline the steps to be taken in the event a breach occurs.
- Training and educating employees and contractors on cybersecurity policies and procedures and best practices.
The Cybersecurity Regulation requires a licensee to conduct a periodic risk assessment of its information systems that is sufficient enough to inform the design of the entity’s cybersecurity program and update such risk assessment as necessary to address changes to the entity’s information systems, nonpublic information, or business operations. In addition to conducting periodic assessment, a licensee must also establish and maintain an effective cybersecurity program that is in compliance with the Virtual Currency Regulation.
As a result of its investigations, the NYDFS had three main concerns: 1) the audit conducted by the company was too shallow in scope and not properly focused to comply with the requirement to conduct periodic risk assessment of its information systems; 2) the company failed to establish and maintain an adequate cybersecurity program; and 3) the company failed to implement a written cybersecurity policy.
The consent order and the size of the fine demonstrate the continued interest of NYDFS in prioritizing cybersecurity through its enforcement actions and the seriousness with which it will approach these issues. Notwithstanding extensive cooperation with the Department as described in the consent order, the NYDFS still chose to impose a substantial $1.2 million fine.
This outcome stresses the importance of developing and maintaining a strong cybersecurity program that includes periodic risk assessments and written policies and procedures. This requires collaboration among the security team, IT team, internal legal, compliance, and outside counsel partners to ensure that their cybersecurity programs and written documentation are compliant with current regulations, and that risk assessments are conducted—and conducted in depth enough—to satisfy regulator expectations.
- Periodic Risk Assessment. The NYDFS claimed that the company failed to conduct a comprehensive risk assessment and instead chose to rely on an IT audit performed by a related entity. Although the IT audit provided for policies and procedures it was still found to be inadequate as it did not provide the required visibility into the company’s cybersecurity risk. The NYDFS came to the conclusion that without knowledge of the company’s security risk, the company’s cybersecurity program was not designed to protect its systems and the data stored on those systems.
- Cybersecurity Program. According to NYDFS, the company also failed to establish and maintain an effective cybersecurity program. Despite having some policies and procedures in place, the Department focused on the fact that the policies and procedures in place were not tailored to address the company’s needs and risks and had a host of other issues.
- Written Cybersecurity Policy. The NYDFS alleged that the company failed to implement a written cybersecurity policy that set forth the company’s policies and procedures for the protection of its electronic systems and stored data. The NYDFS highlighted the numerous inaccuracies that were in the policies and procedures that the company did have in place. Lastly, the consent order discussed the lack of annual reviews and the failure to annually obtain board approval of its polices.