DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Brokerage firm agrees to $3 mln deal for New York cybersecurity rule violations

Posted on April 15, 2021 by Dissent

Sara Merken reports:

Brokerage firm National Securities Corp has agreed to pay $3 million in a settlement with New York’s financial services regulator over shortfalls that resulted in four cybersecurity breaches involving unauthorized access to email accounts.

Read more on Reuters.


NY DFS’s press release: 

Superintendent of Financial Services Linda A. Lacewell announced today that National Securities Corporation (“National Securities”) will pay a $3 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers.

“The Department remains committed to taking nation-leading action to ensure that all licensees abide by DFS’s Cybersecurity Regulation and safeguard the private data of all consumers,” said Superintendent Lacewell. “As cyber threats continue to surge, the Department expects regulated licensees to prioritize cybersecurity and the protection of private data.”

National Securities, a licensed insurance company, collects private data in the course of its day-to-day operations, selling life insurance, accident and health insurance, and variable life/variable annuities insurance. The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation.

These cyber breaches involved the unauthorized access of the email accounts of National Securities employees and independent contractors, who have access to a significant amount of sensitive personal data of National Securities’ customers.  The investigation uncovered, among other things, that National Securities violated the DFS Cybersecurity Regulation in failing to implement Multi-Factor Authentication (“MFA”), and without implementing reasonably equivalent or more secure access controls approved in writing by the Company’s Chief Information Security Officer.  Further, National Securities falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018, due to the fact that MFA was not fully implemented.

As part of the settlement, National Securities agreed to the penalty and commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the Cybersecurity Regulation.

DFS’s Cybersecurity Regulation became effective in March 2017.  The Cybersecurity Regulation was drafted with substantial industry input:  DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment.  Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors.


A copy of the consent order can be found on the DFS website.

Category: Business SectorCommentaries and AnalysesOf NoteU.S.

Post navigation

← Two Somerset County school districts report cyber attacks
Houston Rockets Hit by “Babuk” Ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.