Cybersecurity and Economic Stability: An interview with former NYDFS Superintendent, Maria Vullo

Marc Schein spends this episode of CHATTINN CYBER introducing podcast listeners to the former Superintendent of New York State Department of Financial Services, Maria Vullo.  From 2016-2019, Ms. Vullo spent her years in service working to implement DFS cybersecurity regulations in an effort to prevent economic turmoil that could result from a data incident within financial services. Maria Vullos’ drive to enact NY state-wide cybersecurity regulation was, in part, realized from the devastating effects of the 2008 financial crisis. At a time where our nation’s economy experienced the biggest downturn since the Great Depression, both the private and public sectors felt the crushing effects of recession.   

Ms. Vullo’s career first began after graduating from NYU’s School of Law. Obtaining a federal clerkship with Paul, Weiss, Rifkind, Wharton & Garrison LLP in 1988, Ms. Vullo was promptly asked to return as a litigation partner where she continued to work in the private sector for 27 years. While invested in cases concerning civil, criminal, and regulatory matters (many of which involved financial services), Ms. Vullo also devoted herself to women’s and human rights through pro bono litigations and leadership roles in NPOs. 

But the pinnacle of Maria’s professional career so far is found in the 23 NYCRR 500 regulation, also known as part 500. In March of 2017, the state of New York enacted a series of policies specific to all DFS-regulated institutions, including state-chartered banks, certain money transmitters, and all insurance companies and agents licensed to do business in NY.  Part 500 requires entities to meet standards for cybersecurity protection in areas such as policy, programs risk assessment, and incident response. 

“I did it because my job as Superintendent was the protection of the safety and soundness and the fiscal health of the institutions that I was responsible for overseeing. Cybersecurity is such a risk that I thought it was important to set out certain minimum standards that they all have to comply with.” 

Since many New York insurance companies and banks operate throughout the nation as well, the country has seen a spread of cybersecurity regulations across states, making strides towards a national model. 

“We went through a very elaborate process and had a lot of professionals looking at what was the best regulation to do and I think we accomplished that, and I also think it’s important for these principles to be more widely dispersed both for the protection of the industry and also to provide a consistent framework for companies to have to follow.” 

Retired from the DFS and now consulting at her own firm, Maria Vullo sees that there is a lot of work still to be done within the country. She believes that a lot of good can come out of both the private and public sector as long as people and their welfare are always the compass that drives endeavors. To learn more about Ms. Vullo’s impact throughout the decades and how she believes the field of cybersecurity still needs to advance, listen in to this episode of CHATTIN CYBER with Marc Schein.