Cyber: New York regulator moves the goalposts

September 2016

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


In early September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of regulations for banks, insurers, and other financial institutions. The proposal is largely consistent with existing guidance, but it goes further in some ways. The most impactful new suggestions are the proposal’s call for enhanced encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”) and improved multi-factor authentication.

Additionally, the proposal will require that the chairperson of the board or a senior officer submit an annual certification that the entity is complying with the regulation’s requirements. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant. 

As an overview, this paper covers the following:

What does the DFS's proposal require?

  • Cybersecurity program
  • Cybersecurity policy

What are the new challenges?

  • Data encryption
  • Enhanced multi-factor authentication
  • Annual certification
  • Incident reporting

It is clear that regulators across the financial services industry are focused on raising the bar for cybersecurity programs. As a result, we recommend that organizations proactively focus on developing a robust risk-based cybersecurity program rather than reactively responding to siloed regulatory guidance.

This Financial crimes observer analyzes DFS’s proposal and identifies key challenges.

Contact us

Dan Ryan
Banking and Capital Markets Leader, PwC US
Tel: +1 (646) 471 8488

Follow us