On May 22, 2019, the New York State Department of Financial Services (“DFS”) announced the creation of a new Cybersecurity Division, which it described as the “first of its kind at a banking or insurance regulator.” The new Cybersecurity Division will “enforce [DFS’s] cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations, and conduct cyber-related investigations[.]” The division will also disseminate information on trends and threats concerning cyber-attacks.

The Cybersecurity Division will be led by Justin Herring, who had been Chief of the Cyber Crimes Unit in the United States Attorney’s Office for the District of New Jersey. In that role, Herring supervised cybercrime cases, including national security threats, malware and ransomware campaigns, as well as hacks targeting corporations, financial institutions, accounting firms, and the government. The DFS press release also highlighted his “substantial experience” in digital currency cases, including tracing digital currency transactions, investigating money laundering through digital currency, and prosecuting unlicensed digital currency exchanges.

The creation of the new Cybersecurity Division suggests that DFS intends to vigorously enforce and examine compliance with its groundbreaking cybersecurity regulations, which were proposed in September 2016, and which went into effect in phases during a two-year transitional period ending March 1, 2019. Former DFS Superintendent Mara T. Vullo, in a memorandum issued last year, explained that the regulations are intended “to bolster the financial services industry’s defenses against cybersecurity attacks, in order to protect our markets and consumers’ private information.”

DFS’s cybersecurity regulations require covered DFS-regulated banks, insurance companies, and other financial institutions to establish and maintain programs and policies designed to protect consumer information as well as information technology systems, and to file an annual certification confirming compliance with the regulations. Covered institutions must also, among other things:

  • Conduct periodic risk assessments;
  • Designate a Chief Information Security Officer responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy;
  • Establish an incident response plan designed to respond to unauthorized attempts to access electronic information; and
  • Under certain circumstances, notify DFS when unauthorized attempts to access to electronic information have occurred.

The creation of the Cybersecurity Division follows on Acting Superintendent Linda A. Lacewell’s decision last month to consolidate two former divisions into a new Consumer Protection and Financial Enforcement Division.