A recent consent order between the New York State Department of Financial Services (“NYDFS”) and cryptocurrency trading platform, bitFlyer USA (“bitFlyer”), shows that the NYDFS continues to utilize an aggressive enforcement posture with respect to cybersecurity for regulated financial services companies. Notably, the bitFlyer consent order and other recent consent orders demonstrate that NYDFS is no longer waiting for regulated entities to experience a cyber-attack before commencing an enforcement action, and, instead, is using routine examinations to uncover and prosecute companies for failing to comply with the NYDFS’s cybersecurity regulations.
Background
In 2017, the NYDFS promulgated first-of-its-kind regulations establishing cybersecurity requirements for financial services companies. 23 NYCRR Part 500. These regulations were amended once and a proposed second amendment was published in late 2022, with final amendments expected to be adopted sometime later this year.
Among other things, these regulations require companies to maintain cybersecurity programs that (1) include effective controls and secure access privileges; (2) have systems and policies in place for conducting thorough and routine cybersecurity risk assessments; and (3) provide for comprehensive training and monitoring for all employees and users, including independent contractors and vendors.
The bitFlyer Consent Order
In the Consent Order, NYDFS alleged that bitFlyer had not performed an assessment of its internal external cybersecurity risks and threats, as required by 23 NYCRR § 500.09(a). Instead, the company relied on an IT audit performed by its former parent company. As explained by the NYDFS, “[a]lthough an IT audit ensures the existence of policies and procedures to protect an organization’s networks and computer systems, it does not provide visibility into the organization’s security risks or how the organization can mitigate those risks and, therefore, is not an acceptable substitute for a comprehensive risk assessment.”
bitFlyer’s failure to perform a comprehensive risk assessment meant that it also violated its obligation to design a cybersecurity program to protect its electronic systems, and the information stored on those systems, from unauthorized or malicious intrusion. 23 NYCRR § 200.16(a). Additionally, NYDFS found that bitFlyer had not implemented a board-approved written cybersecurity policy. 23 NYCRR § 200.16(b). Nor were its policies customized to the company’s needs and risks. The NYDFS pointed out that, among other things, the policies did not accurately reflect the organizational structure of the company and were poorly translated from Japanese (the language used by its former parent company).
Takeaways
The bitFlyer consent order demonstrates that financial services companies regulated by NYDFS face cyber enforcement risks even when there hasn’t been a cybersecurity event. This is the latest in a series of enforcement actions taken by the NYDFS against companies following its regular examinations. Accordingly, companies regulated in New York need to take seriously their cybersecurity program. Additionally, financial services companies cannot afford to have check-the-box policies and procedures and expect to avoid regulatory scrutiny by the NYDFS. Relying on third-party cybersecurity policies will not be sufficient. Companies must instead adopt customized policies based on thoughtful risk assessments.
We will continue to monitor and report on NYDFS cybersecurity consent orders and other activities concerning the second amendment to Part 500.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.
