Earlier this month, CPW’s Kristin Bryan provided her insights to Richard Satran at Thomson Reuters Regulatory Intelligence regarding recent developments concerning the New York financial sector, cybersecurity and data privacy in light of a recent key leadership change with a state regulator.  You can read the full article below, which includes her comments, which was originally published by Thomson Reuters Regulatory Intelligence and is re-published with their authorization.

Whoever takes over as head of the New York Department of Financial Services will need to lead its large staff of professionals in putting behind the impact of a political scandal that felled its leader her role in resigned Governor Andrew Cuomo’s administration. Industry experts say the new leadership will be pressed to show that the agency is above politics and capable of carrying on its role as a leading U.S. financial regulator.

The industry observers said the next head of the agency will have little choice but to stick to the same priorities that gave it a national reputation. These include cutting-edge cybersecurity rules and climate change initiatives.

The agency has jurisdiction over thousands of financial services firms doing business in the state. Its latest superintendent, Linda Lacewell,  announced her resignation at the end of last week. She had a long background as a political operative but little, if any, experience in financial regulation. She resigned under pressure due to her alleged involvement in aggressive efforts to save the political career of her longtime ally Cuomo, who last Tuesday announced he would leave office in 14 days amid accusations of sexual harassment.

Cuomo had taken strong interest in the state financial regulator throughout his administration, and Lacewell was the second NYDFS supervisor to move directly from the position of Cuomo’s chief of staff to NYDFS superintendent. The first and longest-serving NYDFS supervisor Benjamin Lawsky, also held the position, overseeing a large staff of regulatory professionals.

Agency Made its Mark in Cyber Regulation  

Although Cuomo reportedly micro-managed the agency’s activities, it nonetheless emerged as a force in financial regulation and was seen taking a leading role among U.S. state regulators in a number of areas, most notably cybersecurity regulation.

Regardless of who takes control, the next superintendent will not likely change the agency’s course. The new head will be appointed by the new governor, Kathy Hochul, an upstate Democrat who served as Gov. Andrew Cuomo’s hand-picked lieutenant governor, who assumes office on August 24.

While the agency is in transition and perhaps for an extended period, banks, insurers and other financial firms that the NYDFS oversees are unlikely to see it push further into new areas of regulation, according to people who follow the agency.

But observers expect the enforcement staff to stay busy, with a mission that may become even more of a priority under a new superintendent.

Hochul Election Campaign Already Begun

Hochul, who even before assuming office announced plans to run for a four-year term in next year’s gubernatorial election, will likely view the Department of Financial Services, or NYDFS, in the same light as her predecessor. That is, as a state regulator with the clout of a federal agency, since its New York jurisdiction is home to many of the largest banks and insurers. What is more, with an election campaign effectively already underway, Hochul was seen likely to look for a superintendent who can provide the kind of quick political wins that enforcement actions can deliver. Industry experts said it is too early to speculate on who might replace Lacewell and whether it will be a figure from enforcement.  .

The role could be high profile. NYDFS enforcement cases went even beyond the giants of New York. Its largest actions were taken against UK multinational bank Standard Chartered, with whom it settled charges of sanctions violations and AML-control lapses for $463 million, and Deutsche Bank, which paid $150 million for charges related to its role in enabling client Jeffrey Epstein to carry on sexual predation over a period of years.

While such actions can’t be considered part of an expected routine, the agency has already taken aim at potential high-profile COVID-19 related cases that could garner public attention, in areas such as favoritism in servicing relief payments, debt collection abuses, student loan moratorium violations and other pandemic concerns.

While enforcement in the foreseeable future will likely be a mainstay, the agency was not seen taking on groundbreaking regulatory initiatives or departures from past priorities.  A new initiative to target discriminatory lending could drop from its priority list since the agency has little background or suitable resources to take on such long-to-develop and complex cases anytime soon, said industry experts.

No Radical Shift in Focus Expected  

“Whoever they choose to become the new superintendent is not going to radically change the focus,” said former agency staffer Scott Fischer, now of regulatory advisory firm DLA Piper. “On the regulatory side, they will follow what Lacewell did and remain focused on a couple of areas that are incredibly important for the near future.”

Cyber protection and insurance, climate change, and diversity and inclusion are among the areas where the agency has a track record that will continue as the top priorities for anyone taking the helm.

“Rather than being a sea change, I see the shift in leadership as being an unsurprising development in light of other issues that have been covered by the media in recent weeks concerning the current governor’s upcoming departure from office.” Kristin Bryan, a senior Squire Patton Boggs LLP senior litigator in cyber law.

The agency was created in 2011 by combining the state banking and insurance regulators. The revamp was aimed at modernizing the agency and combining expertise and resources, especially in sharing the large amount of data generated by the regulated industries. the NYDFS has been strongly focused on data use and fintech since its founding.

“NYDFS is anticipated to continue to play a pivotal role on the data privacy and cybersecurity front going forward,” Ms. Bryan said. The agency has too much invested in cyber regulation to “let it go by the wayside.”

The agency hit its stride most visibly not only in its landmark  cyber protection regulation but also in its pace-setting digital currency regulation. Financial technology is certain to remain a top priority. In one major initiative, the agency has under review a proposal for the first major update to its 2018 cyber regulations to respond to a wave of ransomware attacks. The agency, as regulator of both top insurers and leading financial firms, could play a key role in setting rules. Ms. Bryan noted that the “Cyber Insurance Risk Framework” announced earlier this year was the first guidance by a U.S. regulator on cybersecurity insurance.

Next Up: Ransomware 

Ms. Bryan said the NYDFS has similarly taken a lead in “new guidance on preventing ransomware attacks with a focus on cybersecurity controls that significantly reduce the risk of a ransomware attack.” The agency has undertaken an initiative to extend its ground-breaking cyber regulations to specifically address ransomware comes amid calls from some lawmakers to make ransom payments illegal. The agency in its recent guidance told firms it was opposed to the payment of ransom but has not made it a rule.

Cyber security professionals have objected strongly to rules that would “criminalize the victims,” when breached firms would pay ransom to avoid a shutdown of their systems. Sources near the agency say, however, that some form of sanction might be applied in cases where ransom is paid by firms that lacked proper controls in place.

The agency also will likely push ahead, as it did in Lacewell’s tenure, with innovative approaches in creating a legal process for firms to become involved in digital assets.  The agency has long been issuing “bitlicenses” for virtual currency services, sometimes drawing criticism from U.S. bank regulators who preferred to take the lead. Hochul could take a more collaborative approach than the famously confrontational Cuomo, and the agency already has begun to work more closely with the federal Consumer Financial Protection Bureau.

More broadly, developments brought about by COVID and remote work, which are likely to persist in the near future in light of COVID-19 Delta variant’s surge in the United States, have highlighted the importance of this area across industries. Both the Biden administration and state regulators are paying close attention.

The agency also has been leading in the financial regulatory implications of climate change. It launched an initiative nearly five years ago, taking on an issue that only recently has been put on the agenda of U,S, financial agencies.

Despite expectations for continuity, the Hochul administration could still take actions to distance its NYDFS policy from Cuomo. The choice Hochul makes to take over the agency will be closely watched to see whether the large and complicated regulator decides to find a supervisor with deep financial agency experience, as opposed to a political lieutenant.  Whatever the choice, one thing will change. It will be the first supervisor not appointed by Cuomo or who had previously worked for him directly on his staff.