To embed, copy and paste the code into your website or blog: On April 14, 2021, the New York Department of Financial Services (“NYDFS”) announced a settlement with National Securities Corporation (“National Securities”), a licensed insurer, in connection with claims under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The consent order requires payment of a $3M penalty and mandatory remediation in response to alleged failures to properly implement multi-factor authentication, provide notice to NYDFS of two cybersecurity events reported to other regulators in 2018 and 2019, and for falsely certifying compliance for the calendar year 2018. The consent order demonstrates continued active enforcement of the Cybersecurity Regulation by the NYDFS. The $3M penalty is the largest published assessment to date for alleged violations of the Cybersecurity Regulation. The consent order follows a $1.5M assessment in a separate matter announced last month. It is the second order (in a relatively short period of time) that specifically targets undisclosed prior security incidents. The consent order is the first announced order to specifically fault a licensee for a false annual certification (in this case, for a certification relating to the 2018 calendar year). Thus, the consent order highlights the NYDFS’s continued strong interest in assessing past as well as current-state compliance with the Cybersecurity Regulation.