Clifford Chance

The New York Department of Financial Services (DFS) has fined the National Securities Corporation for failing to notify it of data breaches; the Department's second settlement demonstrates DFS's demand for strict compliance with its cybersecurity regulations.

National Securities Corporation (National Securities) is a New York State licensed insurance company. A DFS investigation revealed that between 2018 and 2020, National Securities was the victim of four cybersecurity incidents. Phishing attacks were the suspected cause of each of the incidents and in all cases, the malicious actors were believed to have accessed customers' non-public personal data.

As detailed in the Consent Order, although National Securities reported all of the breaches to various state and federal regulators, it only reported two of these incidents to DFS. DFS's $3 million penalty stems from (1) National Securities' failure to report two of the incidents, (2) its failure to implement Multi-Factor Authentication (MFA), or a reasonably equivalent alternative, for its email environment and (3) its false certification that it was compliant with the DFS Cybersecurity Regulation in 2018, despite not having the required MFA.

This is the second settled enforcement action relating to the Cybersecurity Regulation that DFS has announced. Last June, DFS also announced an enforcement action against First American Title Insurance Company under its Cybersecurity Regulation, but the allegations have not yet been settled or otherwise resolved.

DFS Cybersecurity Regulation

The DFS Cybersecurity Regulation, 23 NYCRR § 500, took full effect in March 2019, though certain provisions, including MFA under Section 500.12(a), were required to be in place earlier, by March 2018. See Section 500.22(a). As we have discussed previously, the DFS Cybersecurity Regulation require covered entities to, among other things, put a Cybersecurity Program and Policy in place, conduct cyber risk assessments, have an incident response plan, provide annual certifications of compliance to DFS, and provide notices of "Cybersecurity Events" to the Superintendent with 72 hours of determining there has been an cybersecurity event. Cybersecurity Events include any events (i) of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body, or (ii) that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

In addition, Section 500.12(b) of the regulation requires that MFA must be used for all individuals accessing the internal network of any covered business from an external network. This requirement extends to all third-party applications that are capable of accessing a company's internal systems. If a company does not use MFA, it must implement "reasonably equivalent or more secure access controls" that has been approved, in writing, by the company's Chief Information Security Officer.

The Breaches and DFS Investigation

Reported Events

The first cyber event occurred in September 2019 and was reported to DFS in October 2019. At the time, National Securities did not have multifactor authentication implemented for its email services. National Securities determined that the cause was likely a phishing attack and that customer data had been accessed. In response, National Securities contacted all customers whose non-public information may have been affected, changed their login credentials, and provided credit monitoring.

The second cyber event occurred April 2020 and was reported to DFS in May 2020. At this time, National Securities had migrated its internal employees to an email system with MFA, however, the company's affiliated independent contractors had not yet been migrated to that system. A successful phishing attack on a broker that the company had engaged as an independent contractor resulted in a significant transfer of funds from a customer account. In response, National Securities refunded the unauthorized transfers to the appropriate customers, thereby incurring a $400,000 loss. National Securities also contacted all customers whose non-public information may have been affected, changed their login credentials, and provided credit monitoring.

Unreported Events

In April 2018, National Securities' IT department discovered that a threat actor had gained access to the CFO's email account after the CFO clicked on a phishing email. National Securities reported the event to the Attorney General's Offices in New York, New Jersey, Connecticut and Massachusetts, but did not report the incident to DFS. National Securities also notified all individuals who potentially had their personal information exposed and changed their account credentials.

In March of 2019 National Securities discovered that an unauthorized threat actor had access to an employee's document management system account since December 2018, again the likely result of a phishing scheme. National Securities notified the IRS, SEC, FBI and local County Sheriff's office, but did not notify DFS. It also notified all potentially affected customers, changed their login credentials, and provided credit monitoring.

False Compliance Certification

National Securities also certified compliance with the DFS Cybersecurity Regulation for the 2018 calendar year. Compliance required the use of an MFA system that National Securities did not have in place at that time.

Penalty

National Securities was ordered to pay $3 million to New York State and to commence further improvements to its existing cybersecurity programs to ensure full compliance with the DFS Cybersecurity Regulation. The settlement took into account National Securities' "commendable cooperation" with the investigation and noted that the company had "demonstrated its commitment to remediation by devoting significant financial and other resources to enhance its cybersecurity program."

Takeaways

• Companies must understand and comply with overlapping U.S. reporting requirements. In the rapidly evolving sphere of cyber regulation, it is likely that companies will be subject to a number of overlapping jurisdictional and sector-based cyber and data disclosure requirements. This settlement demonstrates that extensive reporting to numerous authorities did not absolve National Securities of its obligation to report incidents to DFS. National Securities reported all breaches it suffered to many agencies, both state and federal, and in all instances contacted all potentially affected customers. Nevertheless, DFS still cited its failure to notify as grounds for a fine.
• Companies must consider their supply chain when assessing cyber risk. The Cybersecurity Regulation's requirement that companies implement MFA or a reasonable equivalent extends to third-party systems that have access to internal networks. Here, although though National Securities employees were protected by MFA measures, its subcontractors were not. The delay in moving subcontractors into the system contributed to the $400,000 loss referenced above.
• Employee training is the first line of defence. This case demonstrates that phishing attacks can be extremely costly, both in their direct effect (here a loss of $400,000), and in managing the regulatory fallout; including the cost of notifying customers, providing credit monitoring services, managing regulatory notification requirements, and paying any subsequent fines, which have the potential to be substantial. Robust training programs can alert employees to the risk indicators of phishing schemes and, if effective, prevent phishing attempts from escalating to serious cyber incidents and/or data breaches.