At a glance
DFS's revised proposal is less prescriptive and more risk-based than its earlier version.
On December 28, DFS issued a revised proposal containing a broad set of regulations for banks, insurers, and other financial institutions. The revised proposal is less prescriptive and provides more flexibility than the original proposal issued last September. Notably, the revised proposal adjusts encryption, multi-factor authentication, and third party risk management requirements to be more risk-based.
Although the proposal is largely consistent with existing cybersecurity guidance, it goes further in some ways. Notably, DFS will require that the chairperson of the board or a senior officer submit an annual certification that the entity is complying with the regulation’s requirements. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.
It is clear that regulators across the financial services industry are focused on raising the bar for cybersecurity programs. As a result, we recommend that organizations proactively focus on developing a robust risk-based cybersecurity program rather than reactively responding to siloed regulatory guidance.
This Financial crimes observer analyzes DFS’s revised proposal, identifying key challenges.