skip to main content

Amid urgent national security, cybersecurity and data privacy threats, companies require deeply experienced counsel to respond strategically to potentially crippling data incidents, so they can get back to business. Led by the nation’s leading legal advisors on national security and data-related regulatory matters, we help boards and top executives safely navigate high-impact breaches and related cyber incidents, and offer specialized regulatory advice in the transactional and compliance contexts.

New York DFS Creates New Cybersecurity Division

May 29, 2019 Download PDF

On May 22, 2019, the New York State Department of Financial Services (“DFS”) announced the creation of a new Cybersecurity Division, which it described as the “first of its kind at a banking or insurance regulator.” The new Cybersecurity Division will “enforce [DFS’s] cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations, and conduct cyber-related investigations[.]” The division will also disseminate information on trends and threats concerning cyber-attacks.[1] 

The Cybersecurity Division will be led by Justin Herring, who had been Chief of the Cyber Crimes Unit in the United States Attorney’s Office for the District of New Jersey. In that role, Herring supervised cybercrime cases, including national security threats, malware and ransomware campaigns, as well as hacks targeting corporations, financial institutions, accounting firms, and the government.[2] The DFS press release also highlighted his “substantial experience” in digital currency cases, including tracing digital currency transactions, investigating money laundering through digital currency, and prosecuting unlicensed digital currency exchanges. 

The creation of the new Cybersecurity Division suggests that DFS intends to vigorously enforce and examine compliance with its groundbreaking cybersecurity regulations, which were proposed in September 2016,[i] and which went into effect in phases during a two-year transitional period ending March 1, 2019.[3] Former DFS Superintendent Mara T. Vullo, in a memorandum issued last year, explained that the regulations are intended “to bolster the financial services industry’s defenses against cybersecurity attacks, in order to protect our markets and consumers’ private information.”[4]

DFS’s cybersecurity regulations require covered DFS-regulated banks, insurance companies, and other financial institutions to establish and maintain programs and policies designed to protect consumer information as well as information technology systems, and to file an annual certification confirming compliance with the regulations.[5] Covered institutions must also, among other things:

  • Conduct periodic risk assessments;[6]
  • Designate a Chief Information Security Officer responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy;[7]
  • Establish an incident response plan designed to respond to unauthorized attempts to access electronic information;[8] and
  • Under certain circumstances, notify DFS when unauthorized attempts to access to electronic information have occurred.[9]

The creation of the Cybersecurity Division follows on Acting Superintendent Linda A. Lacewell’s decision last month to consolidate two former divisions into a new Consumer Protection and Financial Enforcement Division.[10]

We will continue to monitor developments at DFS and look forward to providing you with further updates.

*       *       *

[i]      See https://www.paulweiss.com/media/3721011/15sept16cyber.pdf.

 

[1]       DFS Press Release, “Acting Superintendent Linda A. Lacewell Names Justin Herring Executive Deputy Superintendent of Newly Created Cybersecurity Division,” May 22, 2019, https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1905221.

[2]      Id.

[3]     See 23 NYCRR 500.22.

[4]     DFS Memorandum, “DFS Cybersecurity Regulation – First Two Years and Next Steps,” Dec. 21, 2018, https://www.dfs.ny.gov/system/files/documents/2019/01/cyber_memo_12212018.pdf.

[5]      See 23 NYCRR 500.00, 500.01(c), 500.02, 500.03.

[6]     See 23 NYCRR 500.09.

[7]    See 23 NYCRR 500.04.

[8]   See 23 NYCRR 500.16.

[9]     See 23 NYCRR 500.17.

[10]      See https://www.paulweiss.com/media/3978627/3may19-dfs.pdf.

© 2024 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy