The question gets asked quite frequently in regulatory circles: "Will the New York State Department of Financial Services bring an enforcement action under its cybersecurity regulation, and if so, when?" The probable answers are "yes" and "soon." As discussed below, a number of traditional factors that animate decisions about enforcement point to a likelihood in the near term of an enforcement proceeding against one or more regulated entities for a violation of the DFS cybersecurity regulation, known as "Part 500." (23 N.Y.C.R.R. §500.)

Background on Part 500

First issued in March 2017, Part 500 contained a two-year implementation period and has been fully effective for approximately nine months. Generally, regulated institutions must implement and maintain a "robust" cybersecurity program, including such core elements as:

• a written policy, approved by the board of directors or a senior officer, setting forth the procedures for protecting information systems and stored non-public information; and which includes a written incident response plan designed to promptly respond to and recover from a Cybersecurity Event;

•  periodic risk assessments, updated as necessary to address changes to systems, types of data, or operations;

•  continuous monitoring; or alternatively, annual penetration testing and bi-annual vulnerability assessments;

• notification to DFS within 72 hours of a qualifying Cybersecurity Event;

•  a Chief Information Security Officer responsible for overseeing the cybersecurity program;

•  risk-based limits on user access privileges to information systems, with periodic review of such privileges;

•  written policies and procedures governing information systems and non-public information accessed or held by third-party service providers;

•  effective controls such as multi-factor authentication and encryption of non-public information at rest and in transit; and

•  annual certification of compliance by the board of directors or a senior officer of the entity.

Regarding enforcement, §500.20 of the regulation states "[it] will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent's authority under any applicable laws."

Implementation of the Cybersecurity Regulations to Date

From March 2017 through the end of 2018, DFS focused on encouraging regulated entities to move expeditiously to comply with Part 500. In its December 2018 guidance memorandum, DFS updated licensed institutions on how the agency had been approaching implementation of Part 500. DFS reported that its "examiners have been including cybersecurity in all regular examinations across the Department." DFS noted further that it had already received approximately 1,000 notices of Cybersecurity Events, "a significant number of which" stemmed from phishing-type attacks targeted at employees of regulated entities. The guidance elaborated that, upon receipt of a breach notice, DFS may have taken steps such as notifying other regulated entities prophylactically to protect against further intrusions, conducting further investigation, or determining no further action was necessary. The December 2018 guidance concluded by reemphasizing the need for full compliance to be achieved by licensed entities (except for a small exempt group) by the March 2019 deadline.

Next, in May 2019, DFS announced the creation of its Cybersecurity Division, headed by a former federal cybercrime prosecutor. DFS described the new division's mission as enforcing the cybersecurity regulations, advising on cybersecurity examinations, issuing additional guidance for regulated entities, conducting investigations alongside the Consumer Protection and Financial Enforcement Division, and disseminating trend and threat information to the financial services industry.

And just before announcing the creation of the Cybersecurity Division, it was reported that DFS Superintendent Linda Lacewell told participants at a conference that cybersecurity is "the number one threat facing all industries and governments globally," and—after noting DFS' leading role in cybersecurity regulation—the Superintendent indicated that cybersecurity remains a top DFS priority, saying, "we've got to do the hard work." Craig Newman and Alejandro Cruz, "Incoming DFS Chief Calls Cyber the 'Number One Threat' Facing Industry and Government," Program on Corporate Compliance and Enforcement at NYU School of Law (April 18, 2019).

Enforcement Mechanisms Available to DFS

When the work of DFS turns to enforcing Part 500, several mechanisms exist by which the agency can take action against a non-compliant cybersecurity program:

First, for entities subject to the Banking Law, the Superintendent may issue an order requiring a licensed institution to discontinue any "unsafe or unsound" practice. Substantial lack of compliance with the cybersecurity standards established by DFS could readily be considered an "unsafe and unsound" practice of a financial institution. See Banking Law §39(2).

Second, if determined to be an unsafe and unsound practice under the Banking Law, DFS also may impose a civil monetary penalty against a licensed entity. Penalties accrue on a per-day basis and each discrete violation can amount to a daily penalty of up to $250,000. See id. §44.

Third, because Part 500 was issued pursuant to the authority of the Financial Services Law, that law provides for a civil monetary penalty of up to $1,000 per violation of Part 500. See Financial Services Law §408(a). What might constitute a violation of the regulation, and how many violations might arise out of one or more cyber breaches or deficiencies, is currently unsettled.

Fourth, DFS has authority to bring on its own an action in federal court under the consumer protection provisions of the Dodd-Frank Act (12 U.S.C. §5552(a)(1)). Here, DFS theoretically could sue a consumer-facing financial institution (in this case, even an entity not licensed by DFS) for unfair, deceptive or abusive practices—an action similar to the type of cyber breach enforcement action periodically brought by the Federal Trade Commission under the Gramm-Leach-Bliley Act or Federal Trade Commission Act.

Fifth, DFS may suspend or revoke the license of a regulated entity for certain regulatory violations (usually following notice and a hearing)—the most severe of penalties for a regulated entity.

First Enforcement Action: What To Look For

Several factors applicable to enforcement actions generally suggest how DFS may proceed in the first enforcement action arising out of a significant Part 500 violation—and when:

Consumer Impact: Superintendent Lacewell has repeatedly emphasized that consumer impact is a key driver of current DFS enforcement policy. (See, e.g., Matthew L. Levine, "DFS Enforcement to Increase Focus on Consumer Protection," New York Law Journal (Sept. 3, 2019). A specific cyber breach causing widespread injury to New York consumers and springing from a non-compliant cyber program is a likely target for an enforcement action. Indeed, one of the FAQs pertaining to Part 500 on the DFS website specifically addresses how to provide notice when a Cybersecurity Event involves harm to consumers.

Industry Impact: Should DFS examinations uncover a common and persistent failure by certain licensed institutions to meet one or more particular requirements of Part 500, DFS might bring an enforcement action against multiple entities simultaneously—known as a "sweep"—in order to send a message to all licensees that they should take cyber hygiene seriously. One example might be where DFS discovers that a type of third-party service provider has non-compliant cybersecurity programs, and DFS seeks to send a strong message that this is one area of high risk deserving immediate attention.

Low Hanging Fruit: Simple and compelling facts make for a likely enforcement action. As noted above, an entity is required to report a qualifying cyber event to DFS within 72 hours of the event. Where an entity fails to do so without proper justification (and there are very few), a violation would appear to be clearly established. Similarly, where an entity certifies that it is in compliance with Part 500, but a DFS examination demonstrates clearly identifiable and persistent deficiencies, this also might be grounds for an easily-provable violation.

Timing: DFS is widely recognized as taking the lead in a number of regulatory fields, and particularly cybersecurity. This suggests that an enforcement action will come sooner rather than later, for one way that DFS can maintain its lead is to continue developing regulatory standards and expectations through enforcement. And as other government agencies slowly enter the cybersecurity enforcement arena via new legislation or regulation, including the proposed revision to the FTC's "Safeguards Rule" that covers financial institutions, and the New York Shield Act, which reaches many businesses operating in New York, this will likely incentivize DFS to act in the near term as well.

Media reports point to at least one recent major cyber breach occurring at a DFS-regulated entity. It was reported in May 2019 that First American Financial Corporation, a title insurer, suffered a data breach involving 885 million records relating to mortgage deals. Highly personal information such as bank account numbers apparently were taken in the hack. Additionally, it was reported very recently that a major breach at cloud providers, caused by Chinese state actors (called Cloud Hopper), may have touched on one or more DFS licensees. Whether any of these incidents will land these or other firms in the DFS enforcement cross-hairs remains to be seen. What does seem knowable is that the enforcement hammer is likely being forged and tempered at this moment for a possibly imminent arrival.

Matthew L. Levine formerly served as Executive Deputy Superintendent for Enforcement at DFS and as a federal prosecutor, and is now a compliance consultant at Guidepost Solutions.