On December 28, the New York Department of Financial Services issued revisions to the extensive and detailed cybersecurity regulations for licensed banks and insurance companies, which DFS first announced in September 2016 (proposed 23 NYCRR Part 500). The revised regulations are an improvement over the earlier release. They provide some flexibility for a company to forego a security practice that the regulations endorse, but that is unnecessary to contain risk. They also narrow the types of data that must be protected. In addition, they extend the phase-in to two years and acknowledge the necessity of confidentiality safeguards for information that DFS requires businesses to submit to it.
The essential thrust of the regulations, however, remains intensely mandatory and specific in a way no other cybersecurity standards are. Moreover, with respect to a very large number of banks, other lenders, and insurance carriers and producers, New York’s regulations will have national effects. This is especially so because the National Association of Insurance Commissioners appears unlikely to finalize its cybersecurity model law anytime soon and the federal government seems focused on other matters.
Accordingly, now is the time for NY licensees to begin planning to comply with the new DFS regulations. Day Pitney attorneys stand ready to advise our clients on the regulations’ requirements, including revising or for the first time instituting a comprehensive cybersecurity program that protects nonpublic information and plans for and protects against cybersecurity events. We are available to guide you in determining how notification and incident response must proceed (especially given the often-long window to detect a breach but short window to report it), what data requires protection, and how to adroitly manage external as well as internal cybersecurity resources. Day Pitney attorneys can also assist clients in engaging with federal departments and agencies charged with cybersecurity responsibilities that may involve classified or other sensitive government matters. We can also advise on how the New York regulation will interact with other insurance regulations such as enterprise risk reporting and own risk and solvency assessments (ORSAs).
Day Pitney will be holding a briefing session on cybersecurity regulations, designed to meet Continuing Legal Education requirements, in our Stamford office on January 12 from 9:30 a.m. to 1:00 p.m. In addition to discussing the evolving regulations, we will discuss some of the ethical issues involved in cyber regulation and reporting.
Space is limited, so please RSVP here, if you would like to attend.
On February 5, partners Dan Wenner and Jed Davis will present a webinar, "Cybersecurity Incident Report: Applying Reason And Rigor To Control Chaos," produced by PLAC (formerly the Product Liability Advisory Council).
Day Pitney sponsored a program, "Parade of Corporate Horribles: Responding Ethically to a New Problem Around Every Corner," presented by the Westchester/Southern Connecticut Chapter of the Association of Corporate Counsel (ACC).
Day Pitney White Paper
On September 13, Jed Davis was a featured panelist on a webinar, "The Threat at Your Doorstep: Why You Should be Using Cyber Threat Sharing," produced by Thomson Reuters.
Day Pitney Alert
Jed Davis was quoted in an article, "Marriott Hack Shows Risks Of Lax Cyber Diligence In Mergers," published by Law360.
Day Pitney Press Release
Jed Davis was quoted in a feature article, "The Privacy Fight For Digital Data Warrants Is Just Starting," published by Law360.
Steven Cash was quoted in an article, “Mystery in Mueller Probe: Where’s the Hacking Indictment?,” published by The Hill.
Jed Davis was quoted in an article, “Phantom Arrest Shows Tech Cos. Must Police Own Products,” published by Law360.