Superintendent of Financial Services Linda A. Lacewell announced today that National Securities Corporation (“National Securities”) will pay a $3 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers. 

“The Department remains committed to taking nation-leading action to ensure that all licensees abide by DFS’s Cybersecurity Regulation and safeguard the private data of all consumers,” said Superintendent Lacewell. "As cyber threats continue to surge, the Department expects regulated licensees to prioritize cybersecurity and the protection of private data.” 

National Securities, a licensed insurance company, collects private data in the course of its day-to-day operations, selling life insurance, accident and health insurance, and variable life/variable annuities insurance. The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation. 

These cyber breaches involved the unauthorized access of the email accounts of National Securities employees and independent contractors, who have access to a significant amount of sensitive personal data of National Securities’ customers.  The investigation uncovered, among other things, that National Securities violated the DFS Cybersecurity Regulation in failing to implement Multi-Factor Authentication (“MFA”), and without implementing reasonably equivalent or more secure access controls approved in writing by the Company’s Chief Information Security Officer.  Further, National Securities falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018, due to the fact that MFA was not fully implemented. 

As part of the settlement, National Securities agreed to the penalty and commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the Cybersecurity Regulation.  

DFS’s Cybersecurity Regulation became effective in March 2017.  The Cybersecurity Regulation was drafted with substantial industry input:  DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment.  Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.   

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors. 

For a copy of the consent order go to the DFS website.

###