Cyber: New York regulator moves the goalposts

September 2016


In early September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of regulations for banks, insurers, and other financial institutions. The proposal is largely consistent with existing guidance, but it goes further in some ways. The most impactful new suggestions are the proposal’s call for enhanced encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”) and improved multi-factor authentication.

Additionally, the proposal will require that the chairperson of the board or a senior officer submit an annual certification that the entity is complying with the regulation’s requirements. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant. 

As an overview, this paper covers the following:

What does the DFS's proposal require?

  • Cybersecurity program
  • Cybersecurity policy

What are the new challenges?

  • Data encryption
  • Enhanced multi-factor authentication
  • Annual certification
  • Incident reporting

It is clear that regulators across the financial services industry are focused on raising the bar for cybersecurity programs. As a result, we recommend that organizations proactively focus on developing a robust risk-based cybersecurity program rather than reactively responding to siloed regulatory guidance.

This Financial crimes observer analyzes DFS’s proposal and identifies key challenges.

Contact us

Dan Ryan
US Banking and Capital Markets Leader
Tel: +1 (646) 471 8488

Alison Gilmore
US Asset and Wealth Management Marketing Leader
Tel: +1 (646) 471 0588

Follow us