Incoming DFS Chief Calls Cyber the “Number One Threat” Facing Industry and Government

by Craig A. Newman and Alejandro H. Cruz

The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.

Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled.

As a regulator, DFS is widely considered the most powerful state banking regulator in the country because of the number of banks with a presence in New York — including foreign banks — that fall under DFS’s watch. Although the agency has civil — not criminal — authority, it has levied more than $9 billion in civil fines since 2011.

Lacewell replaces Maria Vullo, who left the agency two months ago, and is widely credited with getting the state’s cybersecurity regulation in place more than two years ago and heading its phased implementation over the past two years.

So what does this change at the top mean for DFS’s cybersecurity enforcement? Lacewell’s comments on Friday, the themes she discussed, and her own background might provide some clues for financial institutions that fall under the agency’s watchful eye.

  • Cybersecurity will likely be a priority. In her remarks, Lacewell called cybersecurity “the number one threat facing all industries and governments globally.” In asking the question, “how do we deal with cyber?” Lacewell noted DFS’s leading role in cybersecurity regulation and hinted that cyber will continue to be a top priority for DFS saying, “we’ve got to do the hard work,” and suggested that DFS–regulated companies should place cyber issues at the top of their risk agendas.
  • Compliance will take center stage. In no uncertain terms, Lacewell made clear that the compliance function for financial institutions should be placed front and center. In Lacewell’s words, “[c]ompliance is not some kind of back-office backwater; compliance needs to be at the center of everything your institutions do.”  Lacewell explained her view that regulated entities need to think hard about their compliance efforts and — with respect to cyber and beyond — ensure robust execution and meaningful risk mitigation plans to deliver on what Lacewell sees as “what we owe to all consumers.”
  • Consumers will come first. One of the main themes of her speech was the focus on protecting the consumer. She said that “the consumer is at the center of everything we do” and “we can’t leave the consumer out of the equation.” Lacewell’s remarks revealed a fully formed approach to regulation and enforcement — shaped by her experience as a federal prosecutor and in the New York Attorney General’s Office — focused on the well-being of the state’s consumers.  Lacewell told the room that consumer-focused industry practices are “not inconsistent with being a profitable enterprise.”  How this view will play out at DFS remains to be seen, but Lacewell’s consumer — focused ethos and explicit link between corporate compliance and consumers may be telling as to how DFS will evaluate compliance and enforcement issues arising from DFS’s cyber regulation, especially as it affects consumers.
  • Big data and complex technology will be an enforcement focus. “Big data it’s a risk and opportunity,” she said. Although Lacewell’s comments about big data were made in the context of using big data to make underwriting decisions for insurance companies, the tenor of her comments suggested that her interest might not be limited to underwriting decisions. Will she look at big data in the context of cybersecurity and the way such information is stored and transmitted to ensure that it is properly safeguarded? “We have a lot of work to do in the tech industry and that’s going to be a big focus for us,” she said.
  • The healthcare industry may garner DFS attention. Throughout her career, Lacewell said she has focused on the healthcare industry, from both an enforcement and legislative perspective. While in the New York governor’s office, she worked to reshape the healthcare industry in the state including the establishment of a nonprofit healthcare organization. She stressed her view that the health insurance industry in New York is still in need of extensive reforms to maximize protections and benefits for all New Yorkers. Lacewell’s priorities at DFS are, no doubt, still taking shape, but her professional history suggests a level of familiarity and interest in healthcare companies, which will likely include safeguarding protected healthcare information.

It is always challenging to predict an agency’s regulatory priorities and expectations, especially in a new administration. But with Lacewell’s prosecutorial background, her strong commitment to consumer protection, and her admonition that cybersecurity is the “number one” threat facing industry today, it seems like a good bet that her administration will focus on issues at the intersection of cyber and consumer protection. As to the agency’s other priorities, we will need to wait and see.

Craig A. Newman and Alejandro H. Cruz are partners at Patterson Belknap Webb & Tyler LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.