NYDFS Penalizes Financial Services Firm for Cybersecurity Lapses Leading to Data Exposure
January 31, 2025
The Case
A financial services firm has agreed to a $2 million settlement with New York State regulators over cybersecurity failures that exposed customers' Social Security numbers. An investigation by the New York State Department of Financial Services (NYDFS) found that the firm failed to properly staff key cybersecurity roles and provide adequate training, leading to a data exposure incident.
Teams that lacked familiarity with the firm’s systems and application development processes made changes to data flows for IRS Form 1099-Ks, which led to data exposure. The firm self-reported the breach and has since rectified the issues and improved its cybersecurity practices.
Regulatory Implications
This case highlights critical regulatory expectations for cybersecurity governance, particularly in financial services. The NYDFS action underscores key compliance themes:
Cybersecurity Governance and Staffing:
Regulators expect financial institutions to employ personnel with appropriate expertise in cybersecurity functions. Inadequate staffing and training can lead to enforcement actions.Change Management Controls:
Implementing system changes without proper risk assessments can expose firms to cybersecurity threats. NYDFS emphasizes the importance of structured, documented security reviews before changes are deployed.Incident Response and Regulatory Self-Reporting:
The firm’s prompt self-reporting likely mitigated penalties. However, the case serves as a reminder that firms must not only report breaches but also demonstrate robust remediation efforts.Third-Party and Internal Risk Management:
Even internal teams must follow security protocols to prevent data exposure. Firms should establish checks and oversight to prevent unauthorized access due to system modifications.
Practical Guidance for Firms
To strengthen cybersecurity compliance and mitigate regulatory risks, firms should take proactive steps:
Staff cybersecurity leadership roles with qualified professionals who have expertise in regulatory expectations.
Require security assessments and approvals before making system modifications that could impact customer data.
Provide training for employees, particularly those handling system changes, to improve cybersecurity awareness and adherence to internal security protocols.
Regularly audit system access and apply multi-factor authentication to reduce the risk of unauthorized entry.
Establish clear reporting and remediation procedures to demonstrate regulatory compliance and risk management in the event of a breach.
InnReg helps financial firms strengthen cybersecurity governance and compliance frameworks. If you need help enhancing your firm’s cybersecurity compliance, contact us to learn more.
On December 30, 2024, the US Department of the Treasury and the IRS issued final regulations focused on decentralized finance (DeFi) platforms and their role in digital asset transactions.
The Securities and Exchange Commission announced charges against nine investment advisors and three broker-dealers for failures by the firms and their personnel to maintain and preserve electronic communications in violation of recordkeeping provisions of the federal securities laws.
The SEC’s order finds that, from at least October 2018 until January 2022, an investment advisory firm stated in its offering materials and other documents provided to prospective and existing private fund investors that it was voluntarily complying with AML due diligence laws despite those laws not applying to investment advisors.
