Superintendent of Financial Services Linda A. Lacewell announced today that the Department of Financial Services (DFS) has entered into an agreement with MUFG Bank under which MUFG will pay $33 million to DFS to settle all claims related to the bank`s conduct at a New York State-regulated institution. The agreement announced today governs a lawsuit filed by the bank in connection with the 2017 MUFG application to the Office of the Comptroller of the U.S. Currency to convert its state-authorized offices in New York, Illinois and California and its state-licensed agency offices in Texas into state-licensed branches and agency offices. DraftKings Inc. pay $8 million to settle class actions that participated in advertising campaigns that distorted the difficulty of daily fantasy sports competitions and the terms of promotional offers under the terms of a settlement proposal filed in the District of Massachusetts. A copy of the Final Settlement Agreement can be found here. DraftKings has agreed to create two settlement funds. The first consists of $7.28 million in ”DK dollars” – equivalent cash site credits that allow players to play competitions on the DraftKings DFS platform – payable to group members with an open account. On March 3, 2021, DFS announced a settlement with Residential Mortgage Services, Inc.
(RMS), a licensed mortgage banker. As part of the settlement, RMS agreed to pay a fine of $1.5 million and make improvements to its cyber security program to ensure compliance with the Cyber Security Regulations. According to the agency, a DFS investigation in July 2020 revealed evidence that RMS had been the subject of a cyber breach in 2019 that had not been reported to DFS, in violation of Part 500.17 of the Cybersecurity Regulation. The breach involved a phishing email sent to the email account of an RMS employee with access to sensitive customer data. The employee responded to the phishing email by following a link to a malicious website where she provided her credentials to the intruder. During the audit of RMS, DFS found that RMS had violated the Cybersecurity Regulation by failing to report the breach. DfS also found that RMS also breached the regulation by failing to conduct a comprehensive cybersecurity risk assessment. As part of the settlement, National Securities accepted the penalty and began making further enhancements to its existing cybersecurity program to ensure its cybersecurity controls are fully compliant with the Cyber Security Regulations.
The billing class includes all individuals in the U.S. who made an initial deposit to their DraftKings Daily Fantasy Sports account prior to January 1, 2018 and suffered a net loss on DraftKings. The proposed settlement, filed Wednesday, also states that DraftKings will not oppose a class counsel`s claim for $1.9 million in fees and reimbursement of $100,000 in expenses. On the 14th. In April 2021, DFS announced a settlement with National Securities Corporation (National Securities), a licensed insurance company. National Securities agreed to pay a $3 million fine as part of the settlement. DFS` investigation into National Securities found evidence that National Securities was subjected to four cyberattacks between 2018 and 2020, two of which had not been reported to DFS under the Cybersecurity Regulation. The violations involved unauthorized access to the email accounts of National Securities employees and independent contractors. Among other things, DFS concluded that National Securities violated the Cybersecurity Regulation by failing to implement multi-factor authentication or reasonably equivalent access controls. ”DFS is pleased to have reached an agreement with the bank to end this litigation,” said Superintendent Lacewell. ”Today`s agreement reinforces the strength of our country`s dual banking system and reaffirms New York`s authority to vigorously protect our financial markets and consumers.” The New York State Department of Financial Services (”DFS”) has entered into a settlement agreement (the ”Settlement Agreement”) with PricewaterhouseCoopers LLP (”PwC”) in connection with the advisory services provided by PwC to the Tokyo branch of the Bank of Tokyo – Mitsubishi UFJ, Ltd.
(”BTMU”), pursuant to which PwC: (1) paid a fine of $25 million; (2) has been suspended for 24 months from the acceptance of advisory contracts for PwC`s regulatory services unit with financial institutions regulated by DFS; and (3) has been required to undertake a series of reforms to its practices and procedures to address conflicts of interest that may arise through consultative arrangements. The agreement, which settles claims of approximately 3.15 million people, leaves unresolved claims against FanDuel Inc. in the consolidated multi-district dispute. The Cybersecurity Division of the New York State Department of Financial Services (DFS) continues to strengthen enforcement of the Cybersecurity Regulation. In two recent comparisons, DFS has begun to provide an overview of the application of the Cybersecurity Regulation, 23 NYCRR Part 500. Previously, we covered the Cybersecurity Regulation here. In both cases, DFS focused on the inability of regulated organizations to report cyberattacks in a timely manner, as required by the Cybersecurity Regulation. Both cases also involved breaches of the company`s messaging systems and the inability to adequately control access to systems containing customers` sensitive personal data. As discussed below, these comparisons highlight three fundamental requirements of the Cybersecurity Regulation: timely reporting of breaches (23 NYCRR 500.17); Conducting a cybersecurity risk assessment (23 NYCRR 500.9); and the implementation of appropriate access controls, including multi-factor authentication (23 NYCRR 500.12). A copy of the consent order can be found on the DFS website. © Bond Schoeneck & King PLLC | Financial Services Advertising Superintendent Linda A. Lacewell announced today that National Securities Corporation (”National Securities”) will pay a $3 million fine to the State of New York for violations of DFS cybersecurity regulations that resulted in the disclosure of a significant amount of its clients` sensitive and non-public personal information, including thousands of New York consumers.
These cyberviolations involved unauthorized access to the email accounts of National Securities employees and independent contractors who have access to a significant amount of sensitive personal information of National Securities clients. The investigation revealed, among other things, that National Securities violated the DFS Cybersecurity Regulation by failing to implement multi-factor authentication (”MFA”) and without implementing equivalent or more secure access control approved in writing by the Company`s Chief Information Security Officer. In addition, National Securities incorrectly certified its compliance with the Cybersecurity Regulation for the 2018 calendar year because the AMF was not fully implemented. DFS expressed concern because it continues to find examples of undue influence and misconduct in the banking advisory sector. There is indirect tension and conflict in such commitments, because while the consulting firm operates in a quasi-regulatory capacity, its fees are paid by the bank, whose compliance balance sheet is evaluated. The reforms that PwC is to implement as part of the settlement agreement are intended to mitigate the effects of these conflicts of interest. Dozens of class action lawsuits against DraftKings and FanDuel Inc., the two leading daily fantasy sports companies, were consolidated and transferred to federal court in Boston in February 2016. DFS` Cybersecurity Regulation came into force in March 2017. The cybersecurity regulation was developed with considerable industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of respondents and cybersecurity experts during the editorial period, and provided two rounds of terminations and comments. An additional transposition period was granted for several provisions and the Regulation was only fully in force in March 2019. DFS` cybersecurity regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, several states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors.
National Securities, a licensed insurance company, collects private data as part of its day-to-day operations and sells life insurance, accident and health insurance, and variable life/annuity insurance. The ministry`s investigation revealed evidence that National Securities was the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the ministry as required by the Cyber Security Regulations. The plaintiffs alleged that the companies violated state gambling laws, allowed employees with access to internal contest data to use that information to compete on other people`s websites, and fraudulently advertised that they would match customers` initial deposits while masking restrictions on their matchmaking programs. . . .
