On April 14, 2021, the New York Department of Financial Services (DFS) announced it settled an enforcement action against National Securities Corporation (“National Securities”) related to claims under the Cybersecurity Regulation, 23 NYCRR Part 500. The Consent Order imposes a $3 million penalty, various remediation measures and represents a flurry of cybersecurity activity by the regulator in the first quarter of 2021. Over the last two months DFS settled two enforcement actions and issued amended charges against First American, the first charges under the Cybersecurity Regulation, originally announced less than a year ago.
April 14, 2021, Settlement
National Securities is a brokerage and insurance firm headquartered in New York and licensed by DFS to sell insurance, making it subject to the Cybersecurity Regulation. In compliance with the regulation, the firm reported two separate Cybersecurity Events that occurred in 2019 and 2020, both involving email accounts that lacked Multi-Factor Authentication (MFA) or alternative controls attacked through a phishing scheme. Both incidents potentially impacted customers’ nonpublic information (NPI).
During the…
