Anticipating the First Cybersecurity Enforcement Action by NYDFS
A number of traditional factors that animate decisions about enforcement point to a likelihood in the near term of an enforcement proceeding against one or more regulated entities for a violation of the DFS cybersecurity regulation, known as "Part 500."
January 06, 2020 at 11:30 AM
8 minute read
The question gets asked quite frequently in regulatory circles: "Will the New York State Department of Financial Services bring an enforcement action under its cybersecurity regulation, and if so, when?" The probable answers are "yes" and "soon." As discussed below, a number of traditional factors that animate decisions about enforcement point to a likelihood in the near term of an enforcement proceeding against one or more regulated entities for a violation of the DFS cybersecurity regulation, known as "Part 500." (23 N.Y.C.R.R. §500.)
|Background on Part 500
First issued in March 2017, Part 500 contained a two-year implementation period and has been fully effective for approximately nine months. Generally, regulated institutions must implement and maintain a "robust" cybersecurity program, including such core elements as:
• a written policy, approved by the board of directors or a senior officer, setting forth the procedures for protecting information systems and stored non-public information; and which includes a written incident response plan designed to promptly respond to and recover from a Cybersecurity Event;
• periodic risk assessments, updated as necessary to address changes to systems, types of data, or operations;
• continuous monitoring; or alternatively, annual penetration testing and bi-annual vulnerability assessments;
• notification to DFS within 72 hours of a qualifying Cybersecurity Event;
• a Chief Information Security Officer responsible for overseeing the cybersecurity program;
• risk-based limits on user access privileges to information systems, with periodic review of such privileges;
• written policies and procedures governing information systems and non-public information accessed or held by third-party service providers;
• effective controls such as multi-factor authentication and encryption of non-public information at rest and in transit; and
• annual certification of compliance by the board of directors or a senior officer of the entity.
Regarding enforcement, §500.20 of the regulation states "[it] will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent's authority under any applicable laws."
|Implementation of the Cybersecurity Regulations to Date
From March 2017 through the end of 2018, DFS focused on encouraging regulated entities to move expeditiously to comply with Part 500. In its December 2018 guidance memorandum, DFS updated licensed institutions on how the agency had been approaching implementation of Part 500. DFS reported that its "examiners have been including cybersecurity in all regular examinations across the Department." DFS noted further that it had already received approximately 1,000 notices of Cybersecurity Events, "a significant number of which" stemmed from phishing-type attacks targeted at employees of regulated entities. The guidance elaborated that, upon receipt of a breach notice, DFS may have taken steps such as notifying other regulated entities prophylactically to protect against further intrusions, conducting further investigation, or determining no further action was necessary. The December 2018 guidance concluded by reemphasizing the need for full compliance to be achieved by licensed entities (except for a small exempt group) by the March 2019 deadline.
Next, in May 2019, DFS announced the creation of its Cybersecurity Division, headed by a former federal cybercrime prosecutor. DFS described the new division's mission as enforcing the cybersecurity regulations, advising on cybersecurity examinations, issuing additional guidance for regulated entities, conducting investigations alongside the Consumer Protection and Financial Enforcement Division, and disseminating trend and threat information to the financial services industry.
And just before announcing the creation of the Cybersecurity Division, it was reported that DFS Superintendent Linda Lacewell told participants at a conference that cybersecurity is "the number one threat facing all industries and governments globally," and—after noting DFS' leading role in cybersecurity regulation—the Superintendent indicated that cybersecurity remains a top DFS priority, saying, "we've got to do the hard work." Craig Newman and Alejandro Cruz, "Incoming DFS Chief Calls Cyber the 'Number One Threat' Facing Industry and Government," Program on Corporate Compliance and Enforcement at NYU School of Law (April 18, 2019).
|Enforcement Mechanisms Available to DFS
When the work of DFS turns to enforcing Part 500, several mechanisms exist by which the agency can take action against a non-compliant cybersecurity program:
First, for entities subject to the Banking Law, the Superintendent may issue an order requiring a licensed institution to discontinue any "unsafe or unsound" practice. Substantial lack of compliance with the cybersecurity standards established by DFS could readily be considered an "unsafe and unsound" practice of a financial institution. See Banking Law §39(2).
Second, if determined to be an unsafe and unsound practice under the Banking Law, DFS also may impose a civil monetary penalty against a licensed entity. Penalties accrue on a per-day basis and each discrete violation can amount to a daily penalty of up to $250,000. See id. §44.
Third, because Part 500 was issued pursuant to the authority of the Financial Services Law, that law provides for a civil monetary penalty of up to $1,000 per violation of Part 500. See Financial Services Law §408(a). What might constitute a violation of the regulation, and how many violations might arise out of one or more cyber breaches or deficiencies, is currently unsettled.
Fourth, DFS has authority to bring on its own an action in federal court under the consumer protection provisions of the Dodd-Frank Act (12 U.S.C. §5552(a)(1)). Here, DFS theoretically could sue a consumer-facing financial institution (in this case, even an entity not licensed by DFS) for unfair, deceptive or abusive practices—an action similar to the type of cyber breach enforcement action periodically brought by the Federal Trade Commission under the Gramm-Leach-Bliley Act or Federal Trade Commission Act.
Fifth, DFS may suspend or revoke the license of a regulated entity for certain regulatory violations (usually following notice and a hearing)—the most severe of penalties for a regulated entity.
|First Enforcement Action: What To Look For
Several factors applicable to enforcement actions generally suggest how DFS may proceed in the first enforcement action arising out of a significant Part 500 violation—and when:
Consumer Impact: Superintendent Lacewell has repeatedly emphasized that consumer impact is a key driver of current DFS enforcement policy. (See, e.g., Matthew L. Levine, "DFS Enforcement to Increase Focus on Consumer Protection," New York Law Journal (Sept. 3, 2019). A specific cyber breach causing widespread injury to New York consumers and springing from a non-compliant cyber program is a likely target for an enforcement action. Indeed, one of the FAQs pertaining to Part 500 on the DFS website specifically addresses how to provide notice when a Cybersecurity Event involves harm to consumers.
Industry Impact: Should DFS examinations uncover a common and persistent failure by certain licensed institutions to meet one or more particular requirements of Part 500, DFS might bring an enforcement action against multiple entities simultaneously—known as a "sweep"—in order to send a message to all licensees that they should take cyber hygiene seriously. One example might be where DFS discovers that a type of third-party service provider has non-compliant cybersecurity programs, and DFS seeks to send a strong message that this is one area of high risk deserving immediate attention.
Low Hanging Fruit: Simple and compelling facts make for a likely enforcement action. As noted above, an entity is required to report a qualifying cyber event to DFS within 72 hours of the event. Where an entity fails to do so without proper justification (and there are very few), a violation would appear to be clearly established. Similarly, where an entity certifies that it is in compliance with Part 500, but a DFS examination demonstrates clearly identifiable and persistent deficiencies, this also might be grounds for an easily-provable violation.
Timing: DFS is widely recognized as taking the lead in a number of regulatory fields, and particularly cybersecurity. This suggests that an enforcement action will come sooner rather than later, for one way that DFS can maintain its lead is to continue developing regulatory standards and expectations through enforcement. And as other government agencies slowly enter the cybersecurity enforcement arena via new legislation or regulation, including the proposed revision to the FTC's "Safeguards Rule" that covers financial institutions, and the New York Shield Act, which reaches many businesses operating in New York, this will likely incentivize DFS to act in the near term as well.
Media reports point to at least one recent major cyber breach occurring at a DFS-regulated entity. It was reported in May 2019 that First American Financial Corporation, a title insurer, suffered a data breach involving 885 million records relating to mortgage deals. Highly personal information such as bank account numbers apparently were taken in the hack. Additionally, it was reported very recently that a major breach at cloud providers, caused by Chinese state actors (called Cloud Hopper), may have touched on one or more DFS licensees. Whether any of these incidents will land these or other firms in the DFS enforcement cross-hairs remains to be seen. What does seem knowable is that the enforcement hammer is likely being forged and tempered at this moment for a possibly imminent arrival.
Matthew L. Levine formerly served as Executive Deputy Superintendent for Enforcement at DFS and as a federal prosecutor, and is now a compliance consultant at Guidepost Solutions.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.