In early September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of regulations for banks, insurers, and other financial institutions. The proposal is largely consistent with existing guidance, but it goes further in some ways. The most impactful new suggestions are the proposal’s call for enhanced encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”) and improved multi-factor authentication.
Additionally, the proposal will require that the chairperson of the board or a senior officer submit an annual certification that the entity is complying with the regulation’s requirements. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.
As an overview, this paper covers the following:
What does the DFS's proposal require?
What are the new challenges?
It is clear that regulators across the financial services industry are focused on raising the bar for cybersecurity programs. As a result, we recommend that organizations proactively focus on developing a robust risk-based cybersecurity program rather than reactively responding to siloed regulatory guidance.
This Financial crimes observer analyzes DFS’s proposal and identifies key challenges.