Cybersecurity Protection for Cyber Insurance : An interview with Maria T. Vullo

In this episode of CHATTINN CYBER, Marc Schein interviews Maria T. Vullo, Founder, and CEO of Vullo Advisory Services, PLLC, a strategic advisory firm. She serves on several for-profit boards, is Regulator-in-Residence at the Fintech Innovation Lab, and an Adjunct Professor at Fordham Law School. She was formerly the New York’s Superintendent of Financial Services, responsible for managing a 1,400 person regulatory agency that supervises New York’s banking and insurance industries. Maria has extensive banking and insurance regulation expertise, BSA/AML compliance, an understanding of cybersecurity and data privacy, fintech and insurance, and strategic litigation.

In today’s episode, Maria discusses her insightful career in DFS, working in private law and consulting practice later. She shares her experience working with private and public sector institutions and how both have added to her expertise in the law.

Maria talks about finalizing the DFS Proposed Regulations Part 500 (Cybersecurity Requirements for Financial Services Companies) in 2017 and its significance. Not only was it a big deal in cyber, but it was the first in the nation at that time and is still a leading force in cybersecurity regulations. Maria adds that DFS has a huge responsibility in helping manage cybersecurity risks. It is responsible for the safety and soundness of all the banks and insurance companies that are state-chartered. Since any cyber risk could also create a potential financial risk to them, the DFS had to take steps to consider cybersecurity seriously.

The government plays a huge role in combating cyber risk or ransomware. After the ‘SolarWinds hack’, the largest global cybersecurity attack that happened recently, the federal agencies and governments passed a pervasive executive order asking all private and public agencies to bring a unified approach to handling cybersecurity issues.

The New York State Department of Financial Services (NY DFS) recently issued new Ransomware Guidancefor regulated companies to prevent successful ransomware attacks. This happened post realizing that 74 of their regulated institutions had suffered ransomware attacks, 17 of which needed to be paid the ransom.

We also discuss the world of FinTech pre and post COVID and why insurance suffered in these times. Maria explains that in financial services, consumer protection will be a big issue for the Biden administration. Virtual currency is another central area of regulation considering its global reach.

Maria closes the conversation by stating the massive role of cybersecurity protection in enabling cyber insurance. It will continue to grow in importance in the coming years!


“If you have a significant cyber cybersecurity attack, that’s a financial attack and you have a ransomware attack that stops your business, has a huge impact, if not a closing impact on your bottom line.”

“DFS as a regulator is very, very concerned with the financial soundness of banks, insurance companies, because there’s all these people out there that rely on financial services for their banking for their insurance policies.”

“The more that you follow the regulation, the more that you have security and everything else, the less likely it will be that you will suffer one, or if you do, there’ll be mitigation measures that won’t have as serious an impact.”

“Cyber insurance is such a critical issue for all companies. And I think that it goes hand in hand with cybersecurity protection.”

“The stronger your cybersecurity protections, the better able you are to get a good cyber insurance policy.”

“The last thing that I want to see as a former insurance regulator is for insurance companies to not be in the space or for the pricing to be such that people can buy cyber insurance.”


[00:57] – Maria’s experience working with both private and public sectors and how both of them helped her build a strong career in law.

[02:52] – About the DFS Proposed Regulations: Part 500 – Cybersecurity Requirements for Financial Services  Companies

[05:17] – New Ransomware Guidance for regulated companies on preventing successful ransomware attacks by the DFS

[07:43] – The role of government in combating cyber risks

[10:32] – Fintech today

[13:00] – The regulations around virtual currency today

[15:58] – Maria’s parting advice for the listeners

Connect with Maria:







Regulatory Compliance In Cybersecurity And The Practices To Mitigate Cyber Risks With Jennifer Coughlin, part 2

In this episode of CHATTINN CYBER, Marc Schein interviews Jennifer Coughlin, Founding Partner at Mullen Coughlin, a law firm exclusively dedicated to representing organizations facing data privacy events and information security incidents and the need to address these risks before a crisis hits. Jennifer focuses her practice solely on providing organizations of all sizes and from every industry sector with first-party breach response and third-party privacy defense legal services. The second part of the conversation talks about regulatory compliance, investigations and movements, cyber insurance, how to mitigate cyber risks, especially those due to ransomware attacks, and the present and future cyber threats.

On the regulatory front, many new laws and guidelines on cybersecurity are being proposed; regulatory investigations, too, are picking up well. Data shows that while over 30 movements happened in 2021, so far in 2022, 20 have occurred. These indicate:

  1. Increased reliance upon data and information systems
  2. A recognition of the impact of losing access to data and information systems
  3. Uncertainty around what businesses are doing with the massive amounts of data collected
  4. Consumers’ recognition of data privacy
  5. Victim organizations have a ton of data that could help in the fight against cybercrime.

Cyber insurance companies are helping organizations reduce the uncertainty due to cyber risks by setting up a vetted procedure and providing the necessary education to respond to data privacy incidents. With an evolved cyber insurance underwriting, companies can have increased safeguards, better implementation, and response to cyber incidents.

How can your company mitigate cyber incidents? Conduct a data-mapping exercise, considering carefully the data you have on your system, the access controls, cost, loss in the case of security violations, and testing around that. Next, consider Multi-Factor Authentication – it’s a necessity in any company. Mullen Coughlin has a 3-2-1 plan indicative of their practice of keeping 3 backups in 2 different locations, 1 of which is offline.

Before dealing with ransomware attacks, companies need to take the time to understand their contracts, obligations, and responsibilities, so they’re aware of the laws that apply in the case of a cyber incident. Being aware of the timelines and laws could help faster implement the necessary cybersecurity controls and practices.

Additionally, training the employees properly about healthy cyber practices is essential. There needs to be proper learning and reinforcement of cybersecurity practices in organizations.

Towards the close of the episode, Jennifer shares that cybersecurity incidents are not predicted to decrease in a coming couple of years. Job security in the industry appears strong.

Listen to the conversation for more details!


“All these movements (around cybersecurity laws) are indicative of their recognition that victim organizations have a ton of data that would be really helpful in the fight against cybercrime. And they’re not getting their hands on that. So under all of these movements, they’re talking about sharing more information with them. So that when these laws are crafted, when these government meetings are happening, they have additional information that can be really helpful to the conversation.”

“The cyber insurer has already figured out the call you make to set into motion, to ring the bell that is going to set into motion everything that needs to be done to efficiently and compliantly respond to these data privacy incidents; they’ve identified the resources that are needed to do so, they vetted these resources that are needed to do so.”

“Vulnerabilities are being identified all the time, you’ve got zero day exploits being identified, you need to make sure you have a patch management program so that you’re monitoring for patches issued for vulnerabilities, assessing whether or not those patches need to be applied to your system and making sure those patches are being applied to your system. ”


[00:45] – What’s going on in the regulatory front of cybersecurity?

[03:34] – Insight into the plaintiff’s bar

[10:59] – Reducing or mitigating a potential cybersecurity incident

[20:49] – Cyber risk prediction for 2022-23

Connect with Jennifer: