skip to main content

With innovation in data collection and monetization continuing to accelerate and concerns about data protection, privacy and cybersecurity prompting ever-greater global scrutiny, boards and senior executives require sophisticated counsel to assess and navigate risks around the use of customer, business partner or employee data. We help clients establish oversight and compliance frameworks that reduce the potential for large-scale data breaches or cyber incidents, manage and mitigate fast-moving crises when they occur, and respond to related litigation.   

New York DFS Creates New Cybersecurity Division

May 29, 2019 Download PDF

On May 22, 2019, the New York State Department of Financial Services (“DFS”) announced the creation of a new Cybersecurity Division, which it described as the “first of its kind at a banking or insurance regulator.” The new Cybersecurity Division will “enforce [DFS’s] cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations, and conduct cyber-related investigations[.]” The division will also disseminate information on trends and threats concerning cyber-attacks.[1] 

The Cybersecurity Division will be led by Justin Herring, who had been Chief of the Cyber Crimes Unit in the United States Attorney’s Office for the District of New Jersey. In that role, Herring supervised cybercrime cases, including national security threats, malware and ransomware campaigns, as well as hacks targeting corporations, financial institutions, accounting firms, and the government.[2] The DFS press release also highlighted his “substantial experience” in digital currency cases, including tracing digital currency transactions, investigating money laundering through digital currency, and prosecuting unlicensed digital currency exchanges. 

The creation of the new Cybersecurity Division suggests that DFS intends to vigorously enforce and examine compliance with its groundbreaking cybersecurity regulations, which were proposed in September 2016,[i] and which went into effect in phases during a two-year transitional period ending March 1, 2019.[3] Former DFS Superintendent Mara T. Vullo, in a memorandum issued last year, explained that the regulations are intended “to bolster the financial services industry’s defenses against cybersecurity attacks, in order to protect our markets and consumers’ private information.”[4]

DFS’s cybersecurity regulations require covered DFS-regulated banks, insurance companies, and other financial institutions to establish and maintain programs and policies designed to protect consumer information as well as information technology systems, and to file an annual certification confirming compliance with the regulations.[5] Covered institutions must also, among other things:

  • Conduct periodic risk assessments;[6]
  • Designate a Chief Information Security Officer responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy;[7]
  • Establish an incident response plan designed to respond to unauthorized attempts to access electronic information;[8] and
  • Under certain circumstances, notify DFS when unauthorized attempts to access to electronic information have occurred.[9]

The creation of the Cybersecurity Division follows on Acting Superintendent Linda A. Lacewell’s decision last month to consolidate two former divisions into a new Consumer Protection and Financial Enforcement Division.[10]

We will continue to monitor developments at DFS and look forward to providing you with further updates.

*       *       *

[i]      See


[1]       DFS Press Release, “Acting Superintendent Linda A. Lacewell Names Justin Herring Executive Deputy Superintendent of Newly Created Cybersecurity Division,” May 22, 2019,

[2]      Id.

[3]     See 23 NYCRR 500.22.

[4]     DFS Memorandum, “DFS Cybersecurity Regulation – First Two Years and Next Steps,” Dec. 21, 2018,

[5]      See 23 NYCRR 500.00, 500.01(c), 500.02, 500.03.

[6]     See 23 NYCRR 500.09.

[7]    See 23 NYCRR 500.04.

[8]   See 23 NYCRR 500.16.

[9]     See 23 NYCRR 500.17.

[10]      See

© 2022 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy