1 min read

Financial Services Firm to Pay $3MM for Exposing Data in Cyber Breaches

Financial Services Firm to Pay $3MM for Exposing Data in Cyber Breaches

A New York-based securities brokerage and insurance firm will pay a $3 million penalty to the New York Department of Financial Services (NYDFS) for exposing its customers' private data in four cyber breaches, two of which it never reported to the department.

The NYDFS said in a statement this week that its investigation of National Securities Corp (NSC) uncovered evidence of the four cybersecurity incidents between 2018 and 2020. The breaches involved unauthorized access to its employee's email accounts, who have access to a significant amount of sensitive personal data. According to the NYDFS statement, NCS violated the department's cybersecurity regulation by failing to implement multi-factor authentication and not implementing equivalent or more secure access controls approved by the company's chief information security officer.  

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the NYDFS that places cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017, after two rounds of feedback from the industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cybercriminals and are designed to ensure businesses effectively protect their customer's confidential information from cyber-attacks. The regulation requires conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cybersecurity, and creating an incident response plan.

Here are few essential points to keep in mind about the NYDFS regulations:

  • NYDFS rules on breach reporting cover a far broader type of cyber event than any other state. The organization has to report stolen information and attempt to gain access or disrupt or misuse the system. This includes denial-of-service (DoS), ransomware, and any post-exploitation where system tools are leveraged and misused. Look for monitoring systems that can detect unusual access to sensitive data.
  • There are significant training requirements for all employees. Companies will have to provide corporate training to "address relevant cybersecurity risks." Information technology staff are not off the hook either; they are required to take steps to keep professionally current with cybersecurity trends. Financial companies in New York will likely need to up their training budgets to meet these rules.
  • Data classification is a critical first step in performing a risk assessment. A security team will need to determine how much PII is in the organization, where it is located, and who has access to it to evaluate the potential risk. This information is then used to tune access rights to this sensitive data so that only those who need data as part of their role have access and no one else.
CMMC: A Guide for Small Businesses in the Defense Sector

CMMC: A Guide for Small Businesses in the Defense Sector

Navigating the complexities of CMMC can be daunting, but understanding its essentials is crucial for small businesses in the defense sector.

Read More
How To Transform Your Cybersecurity From A Cost Center To A Business Enabler

How To Transform Your Cybersecurity From A Cost Center To A Business Enabler

Unlock the potential of your cybersecurity strategy to drive business growth and enhance customer trust.

Read More
The Importance of Cybersecurity for SMEs in Today's Digital Age

The Importance of Cybersecurity for SMEs in Today's Digital Age

In an era of ever-evolving digital threats, the recent cyberattacks on significant companies like Stop & Shop and AT&T highlight the crucial need for...

Read More