On May 1, NYDFS settled with a cryptocurrency trading platform over the company’s cybersecurity deficiencies, resulting in a consent order and $1.2 million fine for the crypto company. NYDFS alleged “multiple deficiencies in the Company’s cybersecurity program” discovered during NYDFS examinations in 2018 and 2020. The examinations prompted an investigation, ultimately leading to the consent order and the fine.
Businesses are subject to NYDFS legal requirements through their Cybersecurity and Virtual Currency Regulations (23 NYCRR Part 500). Under these regulations, businesses must establish and maintain a sufficient cybersecurity program, conduct risk assessments, updates, and remediations to their cybersecurity programs to ensure that they are up-to-date, obtain board approval for policies, and maintain a written security policy.
NYDFS alleged that the cryptocurrency trading platform failed to perform comprehensive risk assessments or maintain written security policies. The investigation revealed that many of the company’s “written policies and procedures were English translations of Japanese originals; some portions were poorly translated, while others (such as graphs) were not translated at all.” The consent order did acknowledge that the company was cooperative with NYDFS and agrees to undertake remediation efforts that would make the company compliant with NYDFS regulations by the end of 2023.
Putting it Into Practice: As one of the more active regulators of the crypto industry, this is just the latest in a series of actions against crypto companies that have resulted in fines by the New York financial regulator (see our recent blog post on this here). Crypto companies looking to do business in New York may soon have to contend with a new state law after the New York Attorney General, Letitia James, announced proposed legislation to increase oversight of the cryptocurrency industry. Named the Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act, the bill would strengthen NYDFS’ regulatory authority over digital assets and codify the Department’s ability to license digital asset brokers, marketplaces, investment advisors, and issuers prior to engaging in business in the state. As crypto activity ramps up after its recent winter, so too will regulatory scrutiny. Crypto firms looking to operate in New York should continually monitor their cybersecurity programs, along with their AML practices, to ensure they meet the expectations of NYCRR Part 500 and a quickly changing regulatory landscape.