With the enactment of the State Budget, the Legislature has shifted its focus to programmatic issues. The Legislature plans to complete the 2021 Session on June 10th. Both houses will likely pass virtually thousands of bills over the next six weeks. The Attorney General’s investigation into sexual harassment allegations against Governor Cuomo will undoubtedly impact the pace and agenda for the balance of the Legislative Session.
Appellate Court Finds Regulation 187 Unconstitutional
On April 29, 2021, the New York Appellate Division, Third Department, entered a decision
in the case of In the Matter of Independent Insurance Agents and Brokers of New York, Inc. v. New York State Department of Financial Services, finding that Regulation 187 is unconstitutional on the grounds of vagueness. The court reasoned that “while the consumer protection goals underlying promulgation of the amendment are laudable, as written, the amendment fails to provide sufficient concrete, practical guidance for producers to know whether their conduct, on a day-to-day basis, comports with the amendment's corresponding requirements for making recommendations and compiling and evaluating the relevant suitability information of the consumer.” The court concluded that “given the resulting ambiguities in the language employed, coupled with its lack of clear standards for how these provisions will ultimately be enforced, [DFS] has "virtually unfettered discretion" in determining whether a violation has occurred.” If an appeal to the Court of Appeals is made, an automatic stay would be issued and the regulation would remain in effect until a decision is issued.
Proposed Climate Change Guidance
The New York State Department of Financial Services has issued proposed guidance for domestic insurers setting out DFS’s expectations related to managing the financial risks from climate change.
The proposed guidance builds on the Circular Letter issued on September 22, 2020, which outlined its expectations that all domestic insurers start integrating the consideration of the financial risks from climate change into their governance frameworks, risk management processes and business strategies, and developing their approach to climate-related financial disclosure.
The proposed guidance is the first climate-related guidance issued by a U.S. financial regulator. Each insurer is expected to assess the significance of climate-related financial risks to its business and take a proportionate approach to managing those risks that reflects its exposure to those risks as well as the nature, scale and complexity of its business. DFS has a web page dedicated to climate change which includes FAQs. Interested parties are encouraged to provide comments on the proposed guidance by Wednesday June 23, 2021.
New Statewide Office of Financial Inclusion and Empowerment
Originally proposed in his 2020 State of the State address, Governor Cuomo directed the creation of a Statewide Office of Financial Inclusion and Empowerment to meet the financial services needs of low- and middle-income New Yorkers. This new office will be housed within the Department of Financial Services and Honorable Tremaine Wright, previous representative for the 56th District of the New York State Assembly, has been appointed as the first Director of the office. This office will advance DFS’s financial inclusion initiatives, beginning with an inventory of services available from community organizations, advocacy groups, and industry across the state. The office will also coordinate existing work and initiatives with community partners to develop ideas and approaches to economic empowerment and justice. DFS’s press release can be found here.
New Cyber Consent Order
The industry is starting to see an uptick in enforcement of the cybersecurity regulation issued in 2017. National Securities Consent Order with a penalty of $3 million reflects that the company did not have multi-factor authentication ("MFA") fully implemented for all users; failed to timely notify the Department of two cyber events that occurred and falsely certified compliance due to the fact that MFA had not been fully implemented.
MFA requires more than one distinct authentication factor for successful access, such that a username and password alone are not sufficient to access an email account and its contents. MFA is the first line of defense against attempts to gain unauthorized access, including through phishing emails, which are emails sent by cyber criminals to deceive users into providing personal details or other confidential information to permit unauthorized access or harm to a protected information system.
One of the cyber breaches was the result of an independent broker’s O365 account being compromised as the result of a phishing scheme. The broker noticed a potential unauthorized transfer of funds from a client account. Following notification by the broker to his manager, two additional potential unauthorized transfers in the same amount were uncovered. Around the same time, a help desk supervisor detected that forwarding rules had been set up on the broker’s O365 e-mail account. The company refunded the unauthorized transfers to the appropriate customers.