NYDFS Escalates and Expands Cybersecurity Enforcement

On October 18, 2022, the New York Department of Financial Services (“NYDFS”) announced the execution of its sixth consent order for alleged violations of Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (“Part 500”).  This latest settlement imposes a $4.5 million fine on EyeMed Vision Care, LLC (“EyeMed”) – one of the heftiest monetary penalties yet.

This consent order came just over two weeks before the Department released its official Proposed Amendments to Part 500, which, if finalized, will impose even more stringent requirements on covered entities.

The frequency of the consent orders, the increasing size of the monetary penalties, and the Department’s plans to strengthen the Regulation itself illustrate NYDFS’ zeal to “promote the protection of customer information as well as the information technology systems of regulated entities,” and suggest that 2023 will continue the trend of rigorous accountability.

Past Enforcement Actions

NYDFS’ enforcement of Part 500, promulgated in March 2017, was not initially so vigorous.  It was not until July 22, 2020, three years after the Regulation’s adoption, that NYDFS first initiated charges for violations of Part 500.  In its inaugural action, NYDFS alleged that First American Title Insurance Company had failed to remedy a vulnerability that had allowed “unfettered access to the personal and financial data” of millions of customers for years and had neglected to follow its own procedures in the process.  The Company challenged the Department’s findings, and the action is currently pending.  Despite this rocky start, the pace of NYDFS enforcement has only accelerated.  In 2021, NYDFS entered into three consent orders with companies that vary in size and sophistication, resulting in fines that ranged from $1.5 – $3 million.  In 2022, NYDFS has already entered into three additional consent orders with Carnival Corporation and its entities (“Carnival”), Robinhood Crypto, LLC (“Robinhood”), and most recently with EyeMed.

Altogether, these recent actions demonstrate consistent enforcement priorities and, for the most part, impose monetary penalties in the $4.5 – $5 million range.  The action against Robinhood, however, functions as something of an outlier.  Unlike the others, this consent order developed as the result of a supervisory examination rather than a security incident and imposed a $30 million penalty for violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), and Transaction Monitoring Regulation (23 NYCRR Part 504), in addition to violations of Part 500.  Nevertheless, the consent order also demonstrates continued commitment to the familiar cybersecurity requirements articulated in those actions alleged exclusively pursuant to Part 500.

Critical Areas of Enforcement Under the Current Regulation

NYDFS’ latest consent orders reinforce the Department’s particular focus on several key areas of compliance.

  • A comprehensive implementation of MFA tops NYDFS’ list of priorities. Pursuant to Section 500.12(b) of the Cybersecurity Regulation, MFA must be utilized for any individual accessing a Covered Entity’s internal network from an external network.  All of the consent orders address failure to comply with this requirement.  For instance, the Department determined that at the time of Carnival’s first cybersecurity incident, one of the Company’s entities, Princess Cruise Lines, had not completed an MFA rollout to its Office 365 environment.  The consent order does not detail the extent of Princess Cruise Lines’ shortcomings.  The Department’s charges, however, show that companies may be held strictly liable for violations of the MFA requirement that affect only a limited number of their entities.
  • Robust employee training is also front of mind for NYDFS. The Department penalized Carnival for disappointing § 500.14 of the Cybersecurity Regulation, which mandates regular cybersecurity awareness training for all personnel.  According to the Order, the sheer repetition of Carnival’s phishing incidents, “all within a period of less than four years, demonstrates that the Carnival Companies’ training was inadequate.”
  • Among the consistently cited violations is a failure to conduct risk assessments, as outlined in 500.02(b) of the current Regulation. Both the Robinhood and the EyeMed consent orders allege this violation.
  • Several new areas of attention have also emerged in the recent consent orders, suggesting that the Department is equally attuned to less frequently cited requirements. In the EyeMed consent order, NYDFS alleged that EyeMed failed to limit user access privileges when nine employees shared credentials for one email account, and that EyeMed failed to implement a sufficient data minimization strategy and disposal process for that mailbox, violating § 500.03 and § 500.13, respectively.  Further, in the Robinhood action, NYDFS alleged that the Company did not ensure adequate policies and procedures tailored to the entity because it depended on the cybersecurity compliance regime of its parent company.

Key Proposed Changes

With six enforcement actions down, NYDFS’ priorities have begun to crystalize.  While the proposed amendments further refine many of these key requirements, it is not yet clear how the Department’s priorities will evolve once it finalizes the changes.  Covered entities will likely need to reshape their compliance programs.

The following modifications stand out:

  • The amendments create a new subset of covered entities, “Class A Companies,” defined as covered entities with $20 million in gross annual revenue in each of the last two fiscal years that have over 2,000 employees, or that made more than $1 billion in gross revenue in each of the last two fiscal years from all business operations. The amended Regulation imposes a series of more onerous requirements on these entities, including mandates to conduct an annual independent audit of their cybersecurity programs, use external experts to conduct a risk assessment at least once every three years, and monitor privileged access activity, among other requirements.
  • NYDFS has proposed a number of changes to the notification requirements. Principally, the amendments would add two additional scenarios that trigger the 72-hour notification requirement for reporting to NYDFS: (1) a cybersecurity event where an unauthorized user has gained access to a privileged account or (2) if ransomware is deployed within a material part of the information system.  Currently the notification requirement is triggered if the entity reports the incident to any government body or if the incident has a reasonable likelihood of materially harming any material part of the entity’s operations.  The proposed rules have also added a new 24-hour notification requirement when a ransomware payment has been made, followed by an explanation of the reasons payment was necessary and a description of alternatives considered.
  • NYDFS has proposed procedural changes to the annual certification requirement. Notably, the amendments add an alternative to certification that would allow an entity to provide written acknowledgment that it is not in full compliance with the requirements of Part 500.  In order to do so, the entity would have to describe areas of noncompliance and remedial plans, including a proposed timeline.  All of the Department’s previous consent orders included a violation for false certifications when NYDFS found an organization’s protections or procedures wanting.  Theoretically, this change should prevent the Department from meting out multiple charges for the same underlying infraction, although the extent to which covered entities will avail themselves of this alternative remains unseen.
  • NYDFS has proposed changes to the controls and technical measures required by Part 500. In particular, the Department would compel the implementation of MFA for remote access to the network (i.e., VPN access), applications from which nonpublic information is accessible, and for privileged accounts.  Under the current Regulation, covered entities must only implement MFA for any individual accessing the internal network from an external network.
  • The proposed amendments also clarify that the failure to satisfy an obligation will constitute a violation, including the failure to comply for any 24-hour period with any section. While this approach to monetary calculations is consistent with how the NYDFS has been enforcing Part 500, it is not codified in the current text of the Regulation and was a point of contention in the First American challenge.

Stakeholders have 60 days from the date of publication in the State Register to provide comments to the Department.  This period ends on January 9, 2023.  We will continue to monitor developments to Part 500 as well as new consent orders as they are published.