Data Security Law Blog

DFS Superintendent Vullo Reflects on NYS Cyber Regulation: Two Years Later

With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.

In a four-page letter posted on the DFS website, Superintendent Maria T. Vullo said that, during the prior year, her agency and the financial services industry had worked “collectively [and] enhanced the financial services industry’s cybersecurity protections for New York, providing national standards and leadership on this critically important issue.”  Vullo announced late last year that she would be stepping down on February 1, 2019, after serving three years in her post.

“I am especially proud to have led DFS in cybersecurity, having promulgated a final regulation in March 2017 that is now the national standard for the protection of our nation’s financial markets,” she said in a written statement.

The New York cybersecurity regulation has been phased in over the past two years. The regulation’s final provision becomes effective on March 1, 2019, at which time banks and insurers must have policies and procedures in place to deal with the security of their networks and confidential information accessible by third-party service providers.

New York Governor Andrew M. Cuomo has nominated Linda Lacewell, currently his Chief of Staff and Counselor, as the new banking superintendent. Lacewell is a former federal prosecutor, having spent nine years as an assistant U.S. Attorney in the Eastern District of New York, including two years on the Enron Task Force.

A few key takeaways from Vullo’s letter:

  • Breach Notices. DFS has thus far received approximately 1,000 notices of cybersecurity events from regulated institutions. The “majority of successful breaches involve common software technology used throughout business operations and have involved phishing attacks, social engineering threats, and issues relating to password composition and security and email security.”
  • Phishing Scams. “A significant number of events reported to DFS involved breaches that stemmed from employees providing credentials in response to attractive emails that trick a user to provide confidential information … from a source that the employee will trust, perhaps even appear to be an email from a customer or client of that employee and a subject that will peak their interest.”
  • Common Cyberattack Vectors. Vullo also stressed that recent cyberattacks underscored the importance of full implementation with the following provisions:
    • Multi-factor authentication (Section 500.12) (“Breaches occur more easily when the company does not have multi-factor authentication in place, or where the multi-factor authentication protection malfunctioned”);
    • Encryption (Section 500.15) (“Strong access control and encryption for data in transit and at rest mitigate the loss and are critically important.”;
    • Training (Section 500.14) (“Ongoing training is essential. All staff needs basic cybersecurity training to avoid events like successful phishing scams, and ongoing reminders and training to ensure protections from errors that could have significant consequences.”)
  • Annual compliance certificate. Due by February 15th of each year, the annual compliance certificate “is a critical governance pillar for the cybersecurity program of all DFS regulated entities.”

And Vullo explained DFS takes compliance seriously; DFS examiners have been including cybersecurity in all of their regular examinations.  As leadership changes, we will—as usual—monitor DFS’s enforcement, interpretation, and approach to the regulation.