According to a CFPB Circular, the CFPB seeks to further muscle into the cybersecurity enforcement space, and it encourages State AG’s to do so as well, saying: “Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.” State AG’s and banking regulators have authority under certain circumstances to bring enforcement actions in federal court for unfair, deceptive, and abusive practices under the Dodd-Frank Act.
The circular may be found here: https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/