Robinhood Crypto, LLC have been ordered to pay $30 million to New York State for significant failures in bank secrecy act/anti-money laundering obligations and cybersecurity. In addition to the fine, the company will be required to retain an independent consultant to perform a comprehensive evaluation of their compliance with the Department’s Regulations and their remediation efforts.
New York Cybersecurity Regulation
As a company that is regulated by the New York Department of Financial Services (DFS) there are several requirements that must be met. The ones that are pertinent to this case are explained below.
Firstly, as a DFS-regulated entity a company must establish and maintain a cybersecurity program. This program needs to be designed to protect the confidentiality, integrity, and availability of information systems and non-public information.
Secondly, companies are required to have procedures and standards promoting accountability for the program. It must include the Chief Information Officer reporting in writing to the company’s board or governing body. This must be done at least one a year.
Thirdly, all DFS-regulated entities are required to annually certify their compliance with this Regulation.
It was found that Robinhood Crypto, LLC failed to fully comply with the regulation. They relied on the cybersecurity program of their parent company which they had every right to do. However, the parent company’s policies and procedures did not fully address the company’s operations, risks, and reporting lines and were not in full compliance with the requirements of the regulation.
Enterprise-wide procedures and standards were found to not adequately promote accountability. The board were unable to approve written cybersecurity policy annually due to deficient procedures.
The cybersecurity personnel that were employed were not sufficient to manage the risks or perform the core functions. Additionally, the policies and procedures that were established were not suitably detailed enough to guide:
- Data governance and classification
- IT asset management
- Business continuity and disaster recovery (BCDR) planning
- Systems operations and availability concerns
- System and network monitoring
- Systems and application development
- Configuration and change management
- Physical security and environmental control
- Vulnerability and patch management
- Risk assessment
- Incident response activities.
The risk assessment that the company has was not satisfactory. It failed to adequately address cybersecurity and information security, such as:
- Criteria for evaluating and categorizing identified cybersecurity risks or threats
- Additional criteria for the assessment of confidentiality, integrity, security, and the availability of the entity’s information systems and NPI
- Requirements describing how identified risks will be addressed.
Written procedures, guidelines, and standards designed to promote secure development and testing of applications were lacking. The BCDR plan failed to provide an adequate level of detail regarding important business functions. The company also improperly certified compliance with the Regulation for the 2019 calendar year. When explored it was found the company’s breach response plan included no process for notifying regulators and law enforcement in the event of a cybersecurity incident.
Robinhood Crypto, LLC has since devoted additional resources to its cybersecurity program. They have also adopted a set of written cybersecurity policies and procedures unique to its business. They will be required to pay the penalty of $30 million as well as hiring an independent consultant to analyse their remediation efforts and compliance.
Superintendent of Financial Services Adrienne A. Harris announced the findings and penalties. They said Robinhood Crypto “failed to invest” resources and attention to create a culture of compliance.
All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the Department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.Superintendent Harris, https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021
Value Privacy are on hand to make privacy simple.
Available for all your data, privacy, and cybersecurity needs we can help to make sure your company is prepared against cyberattacks. Contact us today to find out how we can help you.