On May 1, 2023, bitFlyer USA, Inc. (“bitFlyer”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) for multiple deficiencies in bitFlyer’s cybersecurity program, most notably for failure to conduct periodic risk assessments to sufficiently inform the design of bitFlyer’s cybersecurity program (as required by 23 NYCRR § 500.09(a)). BitFlyer operates a cryptocurrency trading platform and provides custodial wallet services for U.S. dollars and digital currencies, holding a virtual currency license (commonly referred to as a BitLicense) under DFS’s Virtual Currency Regulation (23 NYCRR Part 200). By virtue of bitFlyer’s BitLicense, bitFlyer is a “Covered Entity” and must comply with DFS’s Cybersecurity Regulation (23 NYCRR Part 500), as well as DFS’s cybersecurity-specific requirements for virtual currency licensees (23 NYCRR § 200.16), which contain substantially similar requirements as those set forth in the Cybersecurity Regulation.
DFS discovered the cybersecurity failings during examinations of bitFlyer in 2018 and 2020. The examinations covered almost a three-year period (November 27, 2017, the date bitFlyer obtained its BitLicense, through September 30, 2020) which led to the $1.2 million penalty, based on the following key findings:
Failure to conduct periodic risk assessments (23 NYCRR § 500.09(a)). bitFlyer did not perform periodic risk assessments, the core essential component of a Covered Entity’s cybersecurity program. DFS reiterated that risk assessments are a necessary pre-requisite to designing and establishing an effective and compliant cybersecurity program. Notably, DFS found that bitFlyer’s reliance on a generic IT audit by bitFlyer’s parent company (at the time), bitFlyer, Inc. (Japan), did not satisfy DFS’s cybersecurity risk assessment requirement because the IT audit did not “provide visibility into the organization’s security risks or how the organization can mitigate those risks.” In the Order, DFS indicated that a cyber-specific risk assessment, not a generic IT audit (or assessment), is required to meet § 500.09(a); however, it is unclear if a more comprehensive IT audit (providing visibility into bitFlyer’s risks and how to mitigate those risks) would have been sufficient.
In emphasizing the importance of a comprehensive risk assessment, DFS noted that the risk assessment is a “necessary prerequisite” for numerous other regulations – penetration testing (23 NYCRR § 500.05), audit trails (23 NYCRR § 500.06), review of access privileges (23 NYCRR § 500.07), third party provider policies (23 NYCRR § 500.11), implementation of multi-factor authentication (23 NYCRR § 500.12), cybersecurity awareness training (23 NYCRR § 500.14(b)), and data encryption (23 NYCRR § 500.15). DFS did not, however, find that bitFlyer violated any of those provisions. Notably, DFS declined to include application security (23 NYCRR § 500.08) and limitations on data retention (23 NYCRR § 500.13) in that listing, which do not contain express references to the risk assessment but do cite to the overall cybersecurity program that must be informed by the organization’s risk assessment, suggesting at least that customization is not necessary for DFS’s application security and limitations on data retention requirements.
Failure to establish and maintain an effective cybersecurity program (23 NYCRR § 200.16(a)). By failing to perform a comprehensive risk assessment, bitFlyer failed to design a cybersecurity program to “protect its electronic systems and information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure, in violation of 23 NYCRR § 200.16(a).” Again, DFS emphasizes the importance of conducting risk assessments because it necessarily informs the Covered Entity’s cybersecurity program. Without explanation, though likely given the overlap in requirements, DFS did not identify as a violation Section 500.02, the 200.16(a) counterpart in the general Cybersecurity Regulation.
Failure to implement a written cybersecurity policy (23 NYCRR § 200.16(b)). BitFlyer did not “implement” accurate policies and procedures, reflective of bitFlyer’s organizational structure, but rather leveraged a number of its Japanese parent’s policies and procedures, many of which were English translations of Japanese originals, while others were not translated at all. Perhaps more egregious, some of the policies appeared to be templates, which bitFlyer failed to update, as the policies included references to “ABC Company.” Finally, bitFlyer did not review the policies and procedures annually, nor did bitFlyer obtain board approval of the policies. As above, DFS did not include a violation of Section 500.03, which is the general requirement to “implement and maintain” written policies on a similar list of subjects.
In addition to the $1.2 million penalty levied by DFS, bitFlyer agreed to a remediation plan, designed to bring it into compliance with the Cybersecurity Regulation and Virtual Currency regulation by December 31, 2023.