On December 28, the New York Department of Financial Services issued revisions to the extensive and detailed cybersecurity regulations for licensed banks and insurance companies, which DFS first announced in September 2016 (proposed 23 NYCRR Part 500). The revised regulations are an improvement over the earlier release. They provide some flexibility for a company to forego a security practice that the regulations endorse, but that is unnecessary to contain risk. They also narrow the types of data that must be protected. In addition, they extend the phase-in to two years and acknowledge the necessity of confidentiality safeguards for information that DFS requires businesses to submit to it.
The essential thrust of the regulations, however, remains intensely mandatory and specific in a way no other cybersecurity standards are. Moreover, with respect to a very large number of banks, other lenders, and insurance carriers and producers, New York’s regulations will have national effects. This is especially so because the National Association of Insurance Commissioners appears unlikely to finalize its cybersecurity model law anytime soon and the federal government seems focused on other matters.
Accordingly, now is the time for NY licensees to begin planning to comply with the new DFS regulations. Day Pitney attorneys stand ready to advise our clients on the regulations’ requirements, including revising or for the first time instituting a comprehensive cybersecurity program that protects nonpublic information and plans for and protects against cybersecurity events. We are available to guide you in determining how notification and incident response must proceed (especially given the often-long window to detect a breach but short window to report it), what data requires protection, and how to adroitly manage external as well as internal cybersecurity resources. Day Pitney attorneys can also assist clients in engaging with federal departments and agencies charged with cybersecurity responsibilities that may involve classified or other sensitive government matters. We can also advise on how the New York regulation will interact with other insurance regulations such as enterprise risk reporting and own risk and solvency assessments (ORSAs).
Day Pitney will be holding a briefing session on cybersecurity regulations, designed to meet Continuing Legal Education requirements, in our Stamford office on January 12 from 9:30 a.m. to 1:00 p.m. In addition to discussing the evolving regulations, we will discuss some of the ethical issues involved in cyber regulation and reporting.
Space is limited, so please RSVP here, if you would like to attend.
Day Pitney White Paper
On September 13, Jed Davis was a featured panelist on a webinar, "The Threat at Your Doorstep: Why You Should be Using Cyber Threat Sharing," produced by Thomson Reuters.
Day Pitney Alert
Day Pitney LLP, together with the State of Israel and PDB FutureCom International, hosted a unique, invitation-only Startup Program for early-stage cybersecurity and analytics investors at the Cornell Club of New York.
Steven Cash and Naju Lathia authored an article, "Pitching Your Cybersecurity Case to Law Enforcement Agencies," published by the New York Law Journal.
Day Pitney Press Release
Jed Davis was quoted in a feature article, "The Privacy Fight For Digital Data Warrants Is Just Starting," published by Law360.
Steven Cash was quoted in an article, “Mystery in Mueller Probe: Where’s the Hacking Indictment?,” published by The Hill.
Jed Davis was quoted in an article, “Phantom Arrest Shows Tech Cos. Must Police Own Products,” published by Law360.
Day Pitney and the National Governors Association (NGA) hosted an invitation-only forum, held at the Downtown Harvard Club of Boston, that brought together lawyers, policymakers, cybersecurity experts and other participants to identify and discuss legal issues related to the growing Industrial Internet of Things (IIoT).