$2 Million Cybersecurity Penalty from NYDFS for Large Financial Technology Co.

The New York State Department of Financial Services (NYDFS) recently issued a consent order that carries a $2 million penalty against a large financial technology company for alleged violations found during NYDFS’ investigation of both the company’s 2022 cybersecurity event and its compliance with New York’s cybersecurity regulations more generally.

The company’s 2022 cybersecurity event was related to the update of a tax form it issues to many of its customers.  The update allegedly was misclassified internally, thus did not go through the proper risk and control processes, and ultimately, exposed customer non-public personal information.  After the company found the cybersecurity issue in 2022, it immediately remediated by masking the non-public personal information and forcing password resets, implementing CAPTCHA and rate limiting, updating the relevant policies, providing additional training to the appropriate team, and improving its capabilities for monitoring new code.  It also now requires multi-factor authentication for all U.S. customers.

NYDFS alleged that the company violated the New York cybersecurity regulations by failing to: (i) properly implement its cybersecurity policies and procedures; (ii) have qualified personnel perform and oversee cybersecurity functions; and (iii) effectively protect against unauthorized access to consumer’s non-public personal information.