On January 23, 2025, the New York Department of Financial Services announced that it had entered into a Consent Order with a Peer-to-Peer Payment Processor for alleged violations of New York’s Cybersecurity Regulation. This regulation requires all financial and banking entities operating in New York to establish and maintain adequate cybersecurity controls and protections for nonpublic information, and to report breaches to the NY DFS within 72 hours.
The NY DFS alleged that the Payment Processor experienced a cybersecurity breach in December 2022 that led to customers’ unmasked Social Security Numbers and Form 1099-Ks to be available publicly, in violation of the Cybersecurity Regulation’s requirements. Following the breach, the Payment Processor cooperated fully with the NY DFS and instituted additional measures to remediate the flaw in its cybersecurity controls.
Pursuant to the Consent Order, the Payment Processor will pay a civil monetary penalty of $2 million dollars.