New York is the first state to establish a department within a financial regulatory agency that is tasked with protecting consumers and financial markets against cyber threats.

On May 22, 2019, the New York Department of Financial Services ("DFS") announced the creation of a Cybersecurity Division to protect the state's financial services industry from cyber threats. New York is the first state to establish within a financial regulatory agency a department tasked with protecting consumers and financial markets against the risk of cyber threats. The agency has long maintained a leading role among state financial service regulators in addressing cyber issues, and the creation of the division represents the state's latest effort to underscore its commitment to addressing digital threats.

The Acting DFS Superintendent Linda Lacewell has named Justin Herring as the executive deputy superintendent in charge of the new division. Previously, Mr. Herring was chief of the first Cyber Crimes Unit at the U.S. Attorney's Office of New Jersey and is expected to bring expertise in cybercrime and digital currencies.

The new Cybersecurity Division will:

  • Enforce the DFS's cybersecurity regulations;
  • Advise on cybersecurity examinations;
  • Issue cyber-related guidance;
  • Conduct cyber-related investigations with the Consumer Protection and Financial Enforcement Division; and
  • Disseminate trends and threat information about cyberattacks.

In particular, the Cybersecurity Division will enforce and issue guidance on the NYDFS Cybersecurity Requirements, promulgated in 2017 to establish baseline cybersecurity standards for banks, insurance companies, and other covered financial institutions. Those include funding and staffing requirements for cybersecurity programs, risk-based standards for technology systems, procedures for addressing breaches, and annual certifications of regulatory compliance with the DFS.

The move by DFS indicates the agency's intent to increase its focus on cybersecurity issues going forward. However, it remains to be seen whether this will result in more rigorous enforcement of New York's cybersecurity regulations.