New York Department of Financial Services Announces Creation of Cybersecurity Division
New York is the first state to establish a department within a financial regulatory agency that is tasked with protecting consumers and financial markets against cyber threats.
On May 22, 2019, the New York Department of Financial Services ("DFS") announced the creation of a Cybersecurity Division to protect the state's financial services industry from cyber threats. New York is the first state to establish within a financial regulatory agency a department tasked with protecting consumers and financial markets against the risk of cyber threats. The agency has long maintained a leading role among state financial service regulators in addressing cyber issues, and the creation of the division represents the state's latest effort to underscore its commitment to addressing digital threats.
The Acting DFS Superintendent Linda Lacewell has named Justin Herring as the executive deputy superintendent in charge of the new division. Previously, Mr. Herring was chief of the first Cyber Crimes Unit at the U.S. Attorney's Office of New Jersey and is expected to bring expertise in cybercrime and digital currencies.
The new Cybersecurity Division will:
- Enforce the DFS's cybersecurity regulations;
- Advise on cybersecurity examinations;
- Issue cyber-related guidance;
- Conduct cyber-related investigations with the Consumer Protection and Financial Enforcement Division; and
- Disseminate trends and threat information about cyberattacks.
In particular, the Cybersecurity Division will enforce and issue guidance on the NYDFS Cybersecurity Requirements, promulgated in 2017 to establish baseline cybersecurity standards for banks, insurance companies, and other covered financial institutions. Those include funding and staffing requirements for cybersecurity programs, risk-based standards for technology systems, procedures for addressing breaches, and annual certifications of regulatory compliance with the DFS.
The move by DFS indicates the agency's intent to increase its focus on cybersecurity issues going forward. However, it remains to be seen whether this will result in more rigorous enforcement of New York's cybersecurity regulations.
We will continue to monitor these state efforts.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.