BITFLYER’S CYBERSECURITY COMPLIANCE FAILURE
bitFlyer’s Cybersecurity Compliance Failure: Lessons for IT Service Providers

In the ever-evolving landscape of cybersecurity, there are occasional cautionary tales that serve as important reminders for small businesses, and IT service providers alike. Today, we’ll delve into the case of bitFlyer USA, Inc. (bitFlyer) and their encounter with the New York Department of Financial Services (DFS). This unfortunate incident sheds light on the consequences of non-compliance with cybersecurity regulations and offers valuable lessons for IT service providers to strengthen their own cybersecurity practices.

Unveiling the Cybersecurity Compliance Failure

In May 2023, bitFlyer found themselves in hot water as they entered into a Consent Order with the DFS. The order was a result of multiple deficiencies in bitFlyer’s cybersecurity program, with a notable failure to conduct periodic risk assessments as required by the regulations. Let’s take a closer look at the key findings and the subsequent penalties imposed by DFS:

  • 1. Neglecting Periodic Risk Assessments (23 NYCRR 500.9): DFS discovered that bitFlyer had failed to perform regular risk assessments, which are essential components of a robust cybersecurity program. Instead, bitFlyer relied on a generic IT audit conducted by their parent company, bitFlyer, Inc., which fell short of DFS's cybersecurity risk assessment requirements. It became evident that a more comprehensive and cyber-specific risk assessment was necessary to meet compliance standards. 
  • 2. Failure to Establish and Maintain an Effective Cybersecurity Program (23 NYCRR500 200.16(a)): By neglecting comprehensive risk assessments, bitFlyer failed to design and implement an effective cybersecurity program to protect their electronic systems and sensitive information from unauthorized access and malicious acts. DFS emphasized the importance of risk assessments as a prerequisite for building a solid cybersecurity program. 
  • 3. Implementation of Inadequate Cybersecurity Policies (23 NYCRR500 200.16(b)): bitFlyer's cybersecurity policies and procedures were found to be lacking in several areas. Rather than crafting their own policies that reflected their organizational structure, they relied on policies from their Japanese parent company, many of which were English translations of the original documents. Some policies were even outdated and contained references to a non-existent company. Furthermore, bitFlyer did not review the policies annually or obtain board approval, further compounding their compliance issues. 


Penalties and the Path to Remediation

In addition to the DFS Consent Order, bitFlyer was hit with a substantial $1.2 million settlement penalty. To rectify their cybersecurity shortcomings and regain compliance with the Cybersecurity Regulation and Virtual Currency Regulation, bitFlyer must implement a comprehensive remediation plan by December 31, 2023. This plan includes the following key steps:

  • 1. Conducting Comprehensive Risk Assessments: bitFlyer must prioritize regular and thorough risk assessments to identify vulnerabilities and develop effective risk mitigation strategies. By understanding their security risks, they can make informed decisions to protect their systems and data. 
  • 2. Strengthening the Cybersecurity Program: Armed with insights from the risk assessments, bitFlyer should enhance their cybersecurity program. This involves implementing robust defensive measures, fortifying their electronic systems, and adopting proactive security measures to mitigate potential threats. 
  • 3. Developing Customized Policies: To demonstrate compliance, bitFlyer must develop policies and procedures tailored to their organizational structure and specific requirements. These policies should be regularly updated, reviewed annually, and approved by the board to ensure alignment with best practices and regulatory standards.

Lessons for IT Service Providers 

The bitFlyer case offers important lessons for IT service providers:

  • 1. Prioritize Risk Assessments: Regular risk assessments are critical for building a strong cybersecurity program. They provide valuable insights into vulnerabilities, allowing organizations to take proactive steps to mitigate risks and protect sensitive information. 
  • 2. Build Robust Cybersecurity Programs: Effective cybersecurity programs require more than just a checkbox approach. Organizations must invest in robust security measures, adopt a proactive stance, and continuously update their defenses to stay ahead of evolving threats. 
  • 3. Customize Policies for Compliance: Off-the-shelf policies won't cut it when it comes to compliance. Craft customized policies and procedures that align with your organization's unique structure and requirements. Regularly review and update them to maintain compliance with regulatory standards. 
  • 4. Monitor cybersecurity regulations: IT service providers must stay informed about the evolving regulatory landscape and ensure compliance with industry-specific cybersecurity requirements. Stay updated on changes to regulations and guidelines issued by governing bodies such as the DFS, National Institute of Standards and Technology (NIST), or the Payment Card Industry Data Security Standard (PCI DSS). 
  • 5. Foster a culture of cybersecurity: IT service providers should prioritize cybersecurity training and awareness programs for their employees. Educate staff about the latest threats, best practices, and the importance of adhering to cybersecurity policies. 
  • 6. Develop comprehensive incident response plans: IT service providers should develop robust incident response plans to handle cybersecurity incidents effectively. These plans should outline the steps to be taken in the event of a breach, including communication protocols, containment measures, and recovery processes. 

By applying these lessons and adopting a proactive approach to cybersecurity, IT service providers can not only protect their clients’ sensitive data but also establish themselves as trusted partners in navigating the complex cybersecurity landscape. Remember, cybersecurity is an ongoing process, and staying vigilant is key to maintaining a strong defense against evolving threats.

At Motiva, we understand the importance of staying ahead of cyber threats and providing comprehensive solutions tailored to your specific needs.

If you’re curious about where your agency stands with cybersecurity, we invite you to take advantage of our free risk assessment. Our team of cybersecurity experts will conduct a thorough evaluation of your existing security measures, identify potential gaps, and provide actionable recommendations to enhance your defenses.

By taking proactive steps and addressing any vulnerabilities early on, you can mitigate the risk of security breaches, data loss, and reputational damage. Our risk assessment will provide you with valuable insights into your current cybersecurity posture and serve as a foundation for developing a robust security strategy.

Don’t wait until it’s too late. Protect your agency’s sensitive information, maintain regulatory compliance with NY DFS, and safeguard your reputation by partnering with Motiva for your cybersecurity needs.

With over 25 years of experience, we at Motiva Networks can help you plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment. Or you can schedule a quick 10-minute call to discuss the best options for your Agency or small business, or go over any questions you might have HERE. 

Walter-Contreras

Walter Contreras

Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.

Related blogs