Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….”
Linda A. Lacewell, the agency’s acting Superintendent, explained that “[i]ncreasingly today, counterterrorism is about cybersecurity, our biggest threat and biggest challenge …” In addition, she said that "[a]s technology changes the financial services industry, regulation must evolve and DFS is evolving to meet the challenges and opportunities of the new landscape, to protect consumers, safeguard the industry, and encourage innovation.”
The new unit will be headed by Justin Herring, the former Chief of the U.S. Attorney’s Office of New Jersey’s first Cyber Crimes Unit, who will serve as DFS’s Executive Deputy Superintendent.
According to the press release, the new unit is the “first of its kind to be established at a banking or insurance regulator” and will enforce the agency’s cybersecurity regulation, advise on cybersecurity exams, issue guidance on DFS’s cyber regulation and conduct cyber-related investigations.
Superintendent Lacewell’s announcement follows her statement last month that cybersecurity is “the number one threat facing all industries and governments globally.” (See our blog post here for full coverage of her April 12th speech to the New York City Bar Association.) And DFS has put its money where its mouth is: DFS’s cyber regulation – initially enacted more than two years ago – is now in full force. After a two-year phase-in period, it imposes substantial requirements on banks and insurance companies that operate in the State, including the filing of an annual certification of compliance.
And companies outside of New York’s borders and in industries outside banking and insurance are starting to feel the sting of New York’s cyber regulation. In March, the U.S. Federal Trade Commission proposed increasing federal cybersecurity standards based, in part, on New York’s landmark law. The FTC’s proposal is in the public comment period.
Today’s news also follows the agency’s announcement last month that it had combined its enforcement, financial frauds and consumer protection units into a single Consumer Protection and Financial Enforcement Division. Katherine A. Lemire, also a former federal prosecutor, will head the division. Superintendent Lacewell called the new unit a “powerhouse” that will “greatly strengthen the Department’s mandate to guard against financial crises and to protect consumer and markets from fraud.”