New Cybercrime-Fighting Unit to Enforce New York Cybersecurity Regulations for Financial Institutions



New Cybercrime-Fighting Unit to Enforce New York Cybersecurity Regulations for Financial Institutions

The Wall Street Journal recently reported that a newly-founded crime-fighting cyber unit will begin enforcing security rules laid forth by New York cybersecurity regulations. The primary role of the division is to protect consumers and financial organizations located in or doing business in New York from cyber threats.

Spearheaded by financial regulator the New York Department of Financial Services (DFS), the unit will enforce New York cybersecurity regulations, which are some of the strictest rules in the nation. The crime-fighting team has the power to impose penalties and fines on firms who fail to properly vet vendors under regulations established in March 2017. No other division of its kind has ever been established at a banking or insurance regulator before in the United States.

“As technology changes the financial services industry, regulation must evolve, and DFS is evolving to meet the challenges and opportunities of the new landscape, to protect consumers, safeguard the industry, and encourage innovation.”

– Acting DFS Superintendent Linda A. Lacewell

Who will the cybersecurity team consist of?

The federal prosecutor stepping into the leadership role of the unit is Justin Herring, who currently serves as chief of the New Jersey U.S. Attorney Office’s cybercrimes unit. Herring already has a successful track record of mitigating major cyber threats – in January, he was instrumental in prosecuting the perpetrators of a U.S. Securities and Exchange Commission computer system infiltration where hackers stole thousands of documents. He also took part in the prosecution efforts after ransomware attacks infected the Port of San Diego and the City of Atlanta.

“I look forward to bringing my expertise to DFS to lead this new division to combat the growing problem of cybercrime, protect New Yorkers and their sensitive information from attacks, and ensure that DFS continues to be a leader in cybersecurity.”

– Justin Herring, Chief, Cybercrimes Unit, New Jersey U.S. Attorney’s Office

The crime-fighting unit will also consist of existing DFS cybersecurity subject matter experts with plans to develop the division further by hiring additional experts and incorporating other DFS personnel.

What role does the new cybercrime unit play?

The new unit’s focus on protecting consumers and the financial industry from cyber threats will be done by disseminating information based on trends plus known and emerging risks. Primarily, the unit’s focus will be on enforcing cybersecurity regulations, providing consultation services, performing security examinations, issuing guidance on DFS regulations, and conducting cybersecurity investigations in conjunction with the Consumer Protection and Financial Enforcement Division.

The formation of the unit demonstrates the state’s seriousness about enforcing New York cybersecurity regulations and will take action to mitigate risks and threats to the financial industry, which accounts for 30% of the state’s GDP.

Cybersecurity regulations in New York

In 2017, the New York DFS enacted the first cybersecurity regulation in the nation: New York State DFS Cybersecurity Regulation (23 NYCRR 500). The purpose of New York’s cybersecurity rule is to protect the financial services industry and consumers from cyber attacks. The rule applies to any organization regulated by the New York DFS, including private bankers, mortgage companies, trust companies, licensed lenders, service contract providers, and more. Institutions must commit to and observe security standards, including:

  • Cybersecurity programs
  • Audit trails
  • Access privileges
  • Third-party service provider security policies
  • Training and monitoring

What can financial institutions expect from the formation of the cybercrimes unit?

In practice, the unit will issue notices to companies to regularly assess third-party cybersecurity practices, evaluate security controls, and limit their overall cyber threat attack surface. Financial institutions can expect to undergo periodic vulnerability assessments, provide copies of cybersecurity policies on request, and receive fines for violating regulations. Should a breach occur, it’s the organization’s responsibility to notify the DFS within 72 hours of discovery.

Overall, the formation of the cybercrime-fighting unit and the expected enforcement of New York cybersecurity regulations means the financial industry in New York will be more tightly secured, preventing possible attacks that can cost millions of dollars. Organizations can prepare by regularly conducting internal audits and investigations into security policies, procedures, and controls. Even the most robust cybersecurity program can fall victim to the most determined hacker, so continuously review security measures and stay up to date on best practices in order to safeguard networks and data.