NY Department of Financial Services Enforces First-in-the-Nation Cybersecurity Rules and Fines Mortgage Lender $1.5 Million for Failure to Comply

For the second time, DFS has fined a regulated entity for failure to comply with the Cybersecurity Regulation.

For the second time, DFS has fined a regulated entity for failure to comply with the Cybersecurity Regulation. In March 2017, New York State’s Department of Financial Services (“DFS”) implemented the nation’s first cybersecurity rules requiring all regulated entities, such as banks, insurers, financial businesses, and regulated virtual currency operators, to fortify their cybersecurity protocols by implementing and maintaining cybersecurity policies (the “Cybersecurity Regulation”). These protocols and policies include, among other things, establishing a detailed security plan, increasing the monitoring of third-party vendors, appointing chief information security officers, and reporting breaches to the Superintendent of the Department of Finance within 72 hours of identifying a Cybersecurity Event. The Cybersecurity Regulation is codified at 23 NYCRR 500.

This recent settlement is a reminder to banks, insurers, financial businesses, and regulated virtual currency operators that DFS is enforcing the Cybersecurity Regulation and placing harsh penalties on regulated entities that fail to comply. Regulated entities should familiarize themselves with the Cybersecurity Regulation and ensure their cybersecurity protocols and policies comply with the regulation. Further, in the event of a breach, the Chief Information Security Officers, or other individuals tasked with assuming responsibility for regulatory compliance, should ensure that the company performs an adequate investigation and meets all notification requirements, including notifying the Superintendent of the Department of Finance within 72 hours of identifying a breach. SOURCE