Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Financial firm will pay $3M for exposing data in breaches

Reprints
breach

A New York-based securities brokerage and insurance firm will pay a $3 million penalty to the New York Department of Financial Services for exposing its customers’ private data in four cyber breaches, two of which it never reported to the department, as required.

The DFS said in statement Wednesday that its investigation of National Securities Corp. uncovered evidence of the four cyber breaches between 2018 and 2020, which involved unauthorized access to the email accounts of its employees and independent contractors, who have access to a significant amount of sensitive personal data.

The DFS said National Securities violated the department’s cybersecurity regulation by failing to implement multi-factor authentication, and by not implementing equivalent or more secure access controls approved by the company’s chief information security officer. 

As part of the settlement, in addition to paying the $3 million, National Securities, which is a unit of B. Riley Financial Inc., began further improvements to its cybersecurity program to be compliant with department’s cybersecurity regulation.

The regulation, which became effective in March 2017, requires insurers and other financial institutions to put in place controls to ensure a robust cybersecurity program.

National Securities said in a statement, “Upholding the trust and confidence of our valued clients remains our utmost priority. The strength of our cybersecurity program is important to us, and we take the security of customer information very seriously.

“Importantly, no customers were harmed by the events described in the Consent Order; National previously notified and addressed the concerns of the small number of potentially impacted individuals.”

The company said also it has engaged a third party to conduct a cybersecurity assessment and that it “continues to devote significant resources to further strengthen its cyber posture, including the adoption of additional training practices, more robust controls and governance policies.”