Making Waves: How New York Became a Leader in State Cyber Regulation
New York State Department of Financial Services (DFS) Superintendent Linda Lacewell spoke with Elizabeth Blosfield during the most recent episode of the Insuring Cyber Podcast about how she has always seen New York as a leader in cybersecurity and innovation.
After being confirmed to her post as DFS Superintendent in 2019, this is a legacy she aims to further.
“When I came into DFS…it quickly became apparent to me that the waves of innovation are crashing on the shores of everything that we regulate,” she says, adding that she believes “cybersecurity is the biggest risk for government and industry bar none.”
Lacewell says she saw this as an opportunity to continue elevating cybersecurity and innovation as matters of focus during her time at DFS, establishing its first cybersecurity division in May of 2019, and just two months later, establishing a new office of innovation at DFS.
Even before Lacewell’s time as superintendent, DFS was placing a greater focus on cybersecurity with its implementation of a first-of-its-kind cybersecurity regulation in March 2017 under the leadership of former DFS Superintendent Maria Vullo.
“I think this was a tsunami through the world of financial services,” says Peter Halprin, partner in law firm Pasich’s New York office, earlier in the podcast episode. “What it did, I think most importantly, and this was its design, was kind of forced the issue and forced the notion that companies need to pay attention to privacy and data at the highest levels, expressly senior management.”
In fact, DFS filed its first charges under the regulation in September of last year, serving a notice of charges to First American Title Insurance Company after alleging it exposed millions of documents containing consumers’ personal information. Halprin says this action was important as it demonstrated how New York’s cybersecurity regulation will be enforced moving forward.
“I think that this is an octopus,” he says. “It’s got a lot of arms and a lot of tentacles, and it’s going to go in a lot of different directions in terms of how it implicates coverage. But the First American action gives us all, I think, a moment to pause, reflect and think about what may come and what we should expect in the U.S. and perhaps elsewhere.”
Later in the year, DFS issued a report following its investigation into a cybersecurity incident involving social media company Twitter, in which verified accounts of public figures were hacked to tweet links pushing a bitcoin scam.
Twitter released a public statement on July 15, the day of the attack, saying that it immediately locked down the affected accounts and removed Tweets posted by the attackers when it became aware of the hack. It shared in a September 24, 2020, blog post that it plans to continue to prioritize and accelerate its efforts to increase the security of the platform and its teams.
“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” a Twitter spokesperson told Insurance Journal in an email. “We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely. This work is constant and always evolving.”
However, Lacewell is calling for increased regulation of social media companies in the future.
“The social media companies have become gigantic,” she says. “We as a society allowed it to happen. They got way out ahead of us, without regulation. The digital transformative changes have been happening alongside, generating the risks to cybersecurity. Government did not adapt, and that was a failure of the federal government because these systemically important companies now present, I believe, systemic risks and nobody is addressing them.”
For more insight into how New York is shaking up the world of cybersecurity and state cyber regulation, check out the rest of this episode and be sure to tune in for new episodes of the Insuring Cyber Podcast every other Wednesday published along with the Insuring Cyber newsletter.