DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Brokerage firm agrees to $3 mln deal for New York cybersecurity rule violations

Posted on April 15, 2021 by Dissent

Sara Merken reports:

Brokerage firm National Securities Corp has agreed to pay $3 million in a settlement with New York’s financial services regulator over shortfalls that resulted in four cybersecurity breaches involving unauthorized access to email accounts.

Read more on Reuters.


NY DFS’s press release: 

Superintendent of Financial Services Linda A. Lacewell announced today that National Securities Corporation (“National Securities”) will pay a $3 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers.

“The Department remains committed to taking nation-leading action to ensure that all licensees abide by DFS’s Cybersecurity Regulation and safeguard the private data of all consumers,” said Superintendent Lacewell. “As cyber threats continue to surge, the Department expects regulated licensees to prioritize cybersecurity and the protection of private data.”

National Securities, a licensed insurance company, collects private data in the course of its day-to-day operations, selling life insurance, accident and health insurance, and variable life/variable annuities insurance. The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation.

These cyber breaches involved the unauthorized access of the email accounts of National Securities employees and independent contractors, who have access to a significant amount of sensitive personal data of National Securities’ customers.  The investigation uncovered, among other things, that National Securities violated the DFS Cybersecurity Regulation in failing to implement Multi-Factor Authentication (“MFA”), and without implementing reasonably equivalent or more secure access controls approved in writing by the Company’s Chief Information Security Officer.  Further, National Securities falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018, due to the fact that MFA was not fully implemented.

As part of the settlement, National Securities agreed to the penalty and commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the Cybersecurity Regulation.

DFS’s Cybersecurity Regulation became effective in March 2017.  The Cybersecurity Regulation was drafted with substantial industry input:  DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment.  Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors.


A copy of the consent order can be found on the DFS website.

Related posts:

  • NY: DFS Superintendent Adrienne A. Harris Announces Updated Cybersecurity Regulation 
  • NYS announces $8 Million Penalty Against Genesis Global Trading, Inc. After DFS Investigation Finds Significant Failings in Anti-Money Laundering and Cybersecurity Programs
  • NYS Department of Financial Services Announces Cybersecurity Fraud Alert
  • Attorney General James and DFS Superintendent Harris Secure $11.3 Million from Auto Insurance Companies over Data Breaches
Category: Business SectorCommentaries and AnalysesOf NoteU.S.

Post navigation

← Two Somerset County school districts report cyber attacks
Houston Rockets Hit by “Babuk” Ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.