Key takeaways

• If enacted, the new DFS cybersecurity regulations would raise the bar significantly for banks, insurers and other financial services providers under the Department’s jurisdiction. The Proposed Regulations are far-ranging in scope, including not only specific technical safeguards but also requirements regarding governance, incident planning, data management and system testing, and an aggressive 72-hour time frame to notify DFS of certain cyber incidents.
• Although the Proposed Regulations echo a growing chorus of other regulators calling for improved cybersecurity measures by banks and insurers (notably the Financial Stability Oversight Council, FFIEC and the Federal Reserve Board), they go much further than any set forth before by requiring a comprehensive approach to mitigating cybersecurity risks.
• As cyber threats continue to increase in volume and complexity, DFS’s proposals likely will influence the approach taken by federal and state regulators as they consider further regulation in this area and as they review the practices of organizations under their jurisdiction.