$1.2 million settlement over cybersecurity breaches at cryptocurrency platform

On May 1, the New York Department of Financial Services (NYDFS or "Department") reached an agreement with a trading platform to address deficiencies found during inspections conducted in 2018 and 2020. The agreement focused on several issues related to the company's cybersecurity program and resulted in a $1.2 million civil fine. The company in question is a large cryptocurrency trading platform, which falls under the jurisdiction of the NYDFS because it holds a BitLicense. This license allows you to conduct business with virtual currencies in New York State. As a license holder, the company is a covered entity and must comply with both cybersecurity regulations and virtual currency regulations.

Lessons learned

NYDFS, through this enforcement investigation, continued to focus on cybersecurity. Covered entities should consider the following points:

1. Prioritize periodic risk assessments, as they are not optional but crucial for the development of an adequate and effective cybersecurity program, able to guide companies in risk mitigation and in the protection of sensitive data.
2. Customize policies and procedures to address company-specific risks, rather than seeing them as just a formality. This leads to the need to conduct proper periodic risk assessments and implement accurate, well-written policies and procedures, which are reviewed on a regular basis.
3. Constantly monitor cybersecurity regulations to stay current and promote compliance.
4. Create incident response plans that outline actions to be taken in the event of a violation.
5. Train and educate employees and associates on cybersecurity policies, procedures and best practices.

Investigation details

The Cybersecurity Regulation requires that a licensee conduct a periodic risk assessment of its information systems, appropriate to inform the design of the entity's cybersecurity program and to update that assessment in response to changes in information systems, non-public information or in commercial operations. During its investigation, NYDFS identified three primary concerns:

1. the audit conducted by the firm was too limited and inadequately focused to meet the requirement to conduct periodic risk assessments of its information systems;
2. the company has failed to create and maintain an adequate cybersecurity program;
3. the company has not implemented a written cybersecurity policy.

Consequences and recommendations

The consent order and the amount of the fine underscore NYDFS's continued interest in prioritizing cybersecurity through its enforcement actions, and how seriously it will address these issues. Despite the extensive cooperation with the Department described in the consent order, NYDFS still elected to impose a substantial $1.2 million fine. This finding underscores the importance of developing and maintaining a robust cybersecurity program that includes periodic risk assessments and written policies and procedures. This requires collaboration between the board's security team, IT team, legal internals, compliance and external partners to ensure that their cybersecurity programs and written documentation comply with current regulations, and that risk assessments are conducted - and are sufficiently thorough - to meet the expectations of the regulator.