Unpacking the NYDFS MFA fines

What do the NYDFS cybersecurity regulation penalties and fines mean for multi-factor authentication?

The New York State Department of Financial Services (NYDFS) has reached a settlement with National Securities Corporation (the Company) requiring a payment of $3m for alleged failures to properly implement multi-factor authentication (MFA), provide notice to NYDFS of two cybersecurity events and for falsely certifying compliance for the 2018 calendar year, all of which are breaches of the NYDFS Cybersecurity Regulations.

Note that the NY Cybersecurity Regulations apply to “Covered Entities”, namely,“any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

The scope is therefore narrower than GDPR and other, more general, data protection legislation although there are a number of parallels that can be drawn. While the Cybersecurity Regulation applies to fewer entities, for the entities it does apply to, the scope of protected information is arguably broader. All “non-public information” (NPI) must be protected (whether or not it would constitute personal data under the GDPR).

Why Was this Company Fined?

1. Two cybersecurity incidents were not reported to the NYDFS (in breach of 500.17(a)) (this was in addition to two cybersecurity incidents that were reported);
2. The Company failed to implement MFA (or reasonably equivalent or more secure access controls approved by the Company’s CISO) for individuals accessing the Company’s internal network from an external network (in breach of 500.12(b)) and for third party applications; and
3. The Company certified compliance with the NYDFS Cybersecurity Regulations for the 2018 calendar year despite the foregoing failures which are evidence that it was not so compliant.

One area to flag is the NYDFS’ apparent widening of the MFA requirements in its Cybersecurity Regulations. The wording of the regulation (500.12(b)) states as follows:

“Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” (my emphasis)

However, the Consent Order states;

“Certain third-party applications used by the Company, which accessed the Company’s internal network or contained consumer NPI, did not have MFA fully implemented, and one application does not have MFA fully implemented, in violation of 23 NYCRR § 500.12(b).”

What Type of Precedent Does this Set?

The above extract from the Consent Order seems to widen the MFA requirement to now apply in all circumstances in which third party applications used by the Company access the internal network, whether or not these applications are being accessed by an employee from an external network. More guidance from the NYDFS is needed to determine whether this was the intended outcome, and what the NYDFS’ interpretation of 500.12(b) is.

The $3m settlement with the Company also follows a recent $1.5m dollar settlement with Residential Mortgage Services, Inc which also cited a failure to investigate and respond appropriately to a cybersecurity incident. Clearly this is a key focus area for the NYDFS.

While it does not set a precedent in a legal sense, it gives a good indication of the NYDFS’ regulatory focus. This aligns with the focus of other regulators who are quick to act following cybersecurity incidents and/or data breaches (see below).

NYDFS Cybersecurity Regulation Penalties

The fine paid by National Securities Corporation was levied ‘pursuant to Financial Services Law § 408’ which allows the superintendent to decide on NYDFS cybersecurity regulation penalties. The scale for these penalties has been expanded relatively recently, with NYDFS cybersecurity regulation penalties now being “(i) up to $5,000 per offense for fraud (including intentional material misrepresentations) involving a “financial product or service”; or (ii) up to $1,000 for certain other violations of the financial services law or regulations” for Section 408 (a) and for 408 (b) “the greater of (i) $5,000 “for each offense”; (ii) twice the damages attributable to the offense; or (iii) twice the economic gain attributable to the offense”. There is also a stipulation for a daily penalty of up to $250,000 to accrue for ongoing non-compliance.

In the case of Part 500 cybersecurity offenses, where offenses are measured by individual users affected or individual records compromised, these NYDFS cybersecurity regulation penalties could potentially run to billions. In the cases that have already been prosecuted the highest fine meted out has been the $3 million to National Securities however there is significant scope for increased NYDFS cybersecurity regulation penalties for more egregious violations of Part 500.

How is this Similar or Different from the GDPR Fines Companies are Seeing?

The National Securities Corporation penalty follows on from a cybersecurity incident suffered by the Company. A number of the big GDPR enforcement fines we have seen (particularly from the ICO in the UK) have similarly followed on from cybersecurity incidents and data breaches.

While GDPR doesn’t prescribe specific security measures (such as MFA), it does require the implementation of “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. The GDPR however is very clear on the scale of potential fines, with two tiers of violation equating to €10 million or 2% of global revenue for the first and €20 million or 4% of global revenue for the second, for more serious violations. The largest of these have been levied against Amazon and WhatsApp, who faced penalties of €746 million and €225 million respectively, which are significantly larger than any of the NYDFS cybersecurity regulation penalties so far, but give an idea to their potential scope. One of the main lessons that can therefore be learned from the NYDFS penalty is that not implementing required security measures can be a costly decision.

Due to the nature of the cybersecurity incident (i.e. the threat actor obtained access to personal data) this would also have constituted a data breach under GDPR. As such, if it had affected data subjects whose data was covered by GDPR, the Company could have faced enforcement action from multiple regulators for breaches of different regulations stemming from the same facts.

It's also worth noting that a constituent element of the penalty relates to the Company’s failure to notify the NYDFS of two cybersecurity incidents. Pursuant to 500.17(1)(a), NYDFS must be notified on any Cybersecurity event where notification is also required to any other “government body, self-regulatory agency, or other supervisory body”.

Similar (and potentially overlapping) notification requirements exist under GDPR and these must be borne in mind by organizations in the aftermath of any security incident.

How Might We Expect Businesses Compliance Teams to Respond to This?

One of the key reactions that business compliance teams should have is to review breach response policies and procedures to ensure that they cover all applicable reporting requirements.

The timeframe for reporting breaches under both the GDPR and the NYDFS Cybersecurity Regulation is 72 hours from discovering the breach so time is of the essence. Staff should be trained to identify potential breaches and escalate them within the organization appropriately to ensure legal advice can be obtained where necessary as to whether a report needs to be made.

Part of the Company’s obligations under the Consent Order is to implement a Cybersecurity Incident Response Plan. Better therefore to proactively consider and implement such a plan before an event has occurred than be forced to do so after the fact by a regulator.

Summing it All Up

Another crucial takeaway is that all four of the cybersecurity incidents referred to in the Consent Order (the two that were notified to the NYDFS and the two that the Company failed to notify the NYDFS about) are all thought to have been caused by phishing schemes. Phishing emails are also cited as the cause of the cybersecurity incident referred to in the $1.5m Residential Mortgage’s consent order.

As is commonly the case, the weakest link in the Company’s security was therefore the human element. Compliance teams should redouble their efforts in training staff to identify suspicious emails and follow the necessary policy (i.e. contact IT teams and delete the offending emails without opening them). Again, as part of the Consent Order the Company was required to submit to the NYDFS cybersecurity training to be rolled out to all personnel.

The expansion of the scope of the MFA requirement is also something that compliance teams should review carefully. Where entities subject to the NYDFS utilize cloud-based applications that are accessed from within the internal network, these may previously have been overlooked when considering where to implement MFA. Given the provisions of the Consent Order, this may need to be revisited.