New York State’s top financial watchdog has some significant regulatory victories under its belt, and now the Department of Financial Services is taking a closer look at insurance-industry cybersecurity practices.



Fresh from reaching settlements with the Bank of Tokyo over money laundering and with Deloitte Financial Advisory Services over conflicts of interest by the consultancy, Benjamin Lawsky, the superintendent of the New York DFS, said in a speech Monday night that banks will face consequences for not self-reporting misconduct. And having recently queried insurance companies about their cybersecurity practices, he wants insurers to be planning for “worst-case scenarios” to protect their systems.



Lawsky has been building a reputation as an aggressive regulator since his office hammered out a $340 million settlement with Standard Chartered Bank regarding anti-money laundering (AML) violations last summer. DFS was formed in 2011 by combining two existing state agencies, the Banking Department and the Insurance Department, and has authority to regulate banks and insurance companies that operate in New York State.



When it comes to AML and sanctions violations by banks, Lawsky said DFS views that conduct as an antiterrorism issue and sees a need for regulators to be tougher in such cases. “Terrorism does not typically thrive without money,” he told the audience at an event in Manhattan.



The DFS head acknowledged that companies are paying larger fines for violations in this area, but said the high penalties shouldn’t keep banks from self-reporting misconduct. “We want them to know if they don’t self-report this, the consequences could be far greater,” he said.



Lawsky has urged other regulators to follow DFS’s lead on reform issues, and on Monday he pointed to the department’s unique settlement targeting conflicts of interest by consultants acting as corporate monitors.



“We’re requiring consultants to inform our agency when they make a recommendation to a financial institution that a financial institution has failed to implement,” he said.



As an example, Lawsky cited last week’s agreement by Deloitte to pay New York state $10 million and to suspend consulting work at DFS-regulated companies for one year. Standard Chartered hired Deloitte to review its AML risks, per a compliance agreement the bank signed with state and federal regulators in 2004.



However, DFS found that Deloitte omitted certain recommendations from a final report when Standard Chartered complained about them, and that the consultancy disclosed confidential information about other bank clients to Standard Chartered.



The Deloitte settlement outlines a new set of safeguards for consultants that need approvals from DFS to carry out their work. Lawsky said his office has the power to deny consultants vital access to “confidential supervisory information” in order to hold them accountable. Such records are “the keys to the kingdom,” Lawsky said.



The superintendent is also concerned about potential cyber attacks on large insurance carriers in New York, both in terms of the impact they’d have on the financial system and on individual privacy.



Insurers “hold unbelievably important data for all of us,” he said. “The privacy concerns are very real.”



Last month, DFS sent letters to insurance companies requesting information about how they address cybsecurity. Bank of America Merrill Lynch’s Assistant General Counsel Richard Borden, speaking at Corporate Counsel’s GC East conference earlier this month, called such a request by a state regulator “astounding.”



“This is not an investigation,” Lawsky told the audience in regard to the digital-security requests. Rather, he said, DFS intends to “work fairly privately” with the companies it regulates on cybersecurity issues.



“I think one problem companies are having is they are nervous about sharing data with each other about what they’re doing, obviously, for competitive reasons,” said Lawsky, who also co-chairs New York Governor Andrew Cuomo’s new cybersecurity advisory board. “And if we can facilitate a conversation about best practices and help those who are lagging behind up their cybersecurity, I think that will be a very important thing.”