More Cybersecurity Regulation Oversight Possible Under New NYDFS Division
The creation of a new NYDFS division to review and respond to cybersecurity events and enforce policy around financial crimes could lead to increased oversight under the department’s watershed Cybersecurity Rule (23 NYCRR 500).
A new division within New York's Department of Financial Services (NYDFS) will be tasked with protecting and educating consumers and fighting consumer fraud, the department announced this week.
The group, the Consumer Protection and Financial Enforcement Division, is a combination of two others within the financial regulator, the Enforcement and Financial Frauds and Consumer Protection divisions.
According to NYDFS, the division’s role will have a slant towards reviewing and responding to cybersecurity events and developing supervisory, regulatory and enforcement policy and direction around financial crimes.
It’s likely a large chunk of the division’s work will revolve around the department’s Cybersecurity Regulation, a compliance requirement for financial institutions. In effect since March 1, 2017, the department's landmark requirement (23 NYCRR 500) impacts roughly 1,500 financial institutions and banks and 1,400 insurance companies. Viewed as a pivotal piece of cybersecurity legislation, 23 NYCRR 500, establishes minimum security requirements to protect financial institutions and their customers from cyberattacks. While we're two years removed from the requirement going into effect, two deadlines around the requirement passed this spring. One, which required Covered Entities to file a second annual Certification of Compliance for calendar year 2018, passed on February 15 while another, which required Covered Entities to ensure there are policies in place to govern the security of third-party service providers, passed on March 1.
Linda Lacewell, the current and third superintendent of financial services, announced the new division on Monday. Lacewell took over the department, succeeding Maria Vullo, who had been the head of NYDFS since January 2016, on Feb. 1. after being named to lead by Gov. Andrew Cuomo in January. According to Lacewell, who described the new division as a “powerhouse,” the Consumer Protection and Financial Enforcement Division will also comprise the Investigations and Intelligence Division, Civil Investigations Unit, the Producers Unit, the Consumer Examinations Unit, the Student Protection Unit, and the Holocaust Claims Processing Office.
The Consumer Protection and Enforcement division will be overseen by Katherine A. Lemire, a former federal prosecutor, turned compliance consultant. Lemire comes to NYDFS via StoneTurn Group LLP, a consulting group that offers insight on regulation compliance and investigative services.
“Given the paramount importance of consumer protection and regulatory oversight in the financial marketplace, I look forward to once again re-entering public service and serving the best interests of New Yorkers, while utilizing the expertise and dedication of DFS staff and resources of the Department," Lemire said Monday.
It's highly probable that in wake of the new division's creation, requirements like New York's cybersecurity rules could be subject to more stringent regulatory oversight going forward.
Lacewell has previously hinted that cybersecurity would be a priority under her watch; in a speech last month at the Association of the Bar of the City of New York she called cybersecurity "the number one threat facing all industries and government globally," adding that compliance needs to "be at the center of everything your institutions do."