New York Cybersecurity Regulations Extended to Credit Reporting Agencies

This week, Governor Cuomo has directed the Department of Financial Services to issue a final regulation requiring credit reporting agencies to comply with cybersecurity regulations applied to financial service companies, previously adopted in 23 NYCRR 500, et seq. The new regulation, 23 NYCRR 201, et seq., obligates credit agencies reporting on 1,000 or more New York consumers to register annually with the DFS, and, beginning November 1, 2018, to comply the previously adopted standards, including adoption of a cybersecurity program and CISO, and other controls.…
Continue reading...

Should American Companies Be Worried About Security Risks Posed By Chinese Telecoms?

Members of Congress from both sides of the aisle recently wrote a letter to Google to express “concerns” about its strategic partnership with Chinese telecommunications companies such as Huawei Technologies, based on security risks related to state-sponsored espionage. As noted by the lawmakers, the heads of the CIA, NSA, FBI, and Defense Intelligence Agency have voiced similar concerns that smartphones made by China’s two largest manufacturers, Hauwei and ZTE., pose a security threat to American customers.  Moreover, the UK’s National Cyber Security Centre found that…
Continue reading...

An Insurer’s Guide to Navigating the Legal Landmines of Cybersecurity Regulation

Cybersecurity is front and center now, especially for the financial services industry which includes insurance and reinsurance companies, among others.  States and regulators are passing laws and promulgating regulations designed to protect customer data in the possession of insurers and their associates. These new statutes and regulations aimed at the insurance industry are in addition to the myriad of other requirements imposed by government for the protection of this data. Aaron J. Aisen, co-chair of the regulatory sub-practice group in the Global Insurance Services
Continue reading...

Shared InfoSec Language Fosters Shared InfoSec Goals

While most business leaders agree that cybersecurity has significant value, determining exactly where and how to spend company dollars on training and infrastructure continues to be a point of disagreement within organizations. Intelligent communication using a shared vocabulary, according to a recent Focal Point Data Risk report by the Cyentia Institute, is vital to achieving consensus, and a comprehensive security plan. As the barriers between the c-suite and IS department continue to diminish, thanks, in part, to widespread adoption of a chief information security officer…
Continue reading...

The Glacial Movement of Global Cybersecurity

In the pastoral setting of Le Manoir Richelieu in Charlevoix, Quebec, G7 Summit partners met to discuss a broad spectrum of topics, including the shared values of freedom, democracy, the rule of law, a mutual respect for human rights and common commitment to promote a rules-based international order. Amidst the discussions of freedom, democracy and, yes, tariffs, world leaders issued a “Charlevoix G7 Summit Communique,” which advised: “We will work together to enforce existing international rules and develop new rules where needed, to foster a…
Continue reading...

Papua New Guinea Shuts Down Facebook…Temporarily

The democratic government of Papua New Guinea (PNG) has announced a one-month shutdown of Facebook access within the nation, to allow the government to assess the spread of objectionable content, and to “allow information to be collected to identify users that hide behind fake accounts, users that upload pornographic images, users that post false and misleading information on Facebook to be filtered and removed.” While regimes such as Iran, North Korea, and China currently censor the social networking site, PNG is the first democratic nation…
Continue reading...

Firewall’s Up: South Carolina Passes First-of-its-Kind Insurance Data Security Act

South Carolina recently became the first state to pass legislation modeled closely on the Insurance Data Security Model Law that was approved by the National Association of Insurance Commissioners (NAIC) last October. Amid the rising incidence of cyberattacks, cyber security is a key issue facing the insurance sector. South Carolina has taken a proactive step in protecting their business and customers from possible data breaches. The South Carolina Department of Insurance (SCDOI) Data Security Act, signed by the Governor on May 3, 2018, will become…
Continue reading...

The SEC is Focused on Public Company Disclosure of Cybersecurity Risks

While new data privacy rules in the European Union have dominated the news lately, the U.S Securities and Exchange Commission (SEC) has not so quietly been making waves of its own in the regulation of cybersecurity. In February ,the SEC issued fresh guidance to public companies on the disclosure of cybersecurity issues, both in identifying risks prospectively and in disclosing breaches quickly. It then followed up that guidance in April with its first ever fine of a public company for failing to promptly disclose a…
Continue reading...

The SEC Imposed its First Data-Breach Related Disclosure Penalty

On the heels of the Securities and Exchange Commission (SEC) February 20, 2018 guidance on cybersecurity-related disclosures, the SEC imposed its first data breach related enforcement penalty. It should come as no surprise that the SEC’s first penalty was levied against Yahoo arising from its massive 2014 data breach. The $35 million penalty was, as the SEC stated in its April 24 press release, intended “to settle charges that [Yahoo] misled investors by failing to disclose one of the world’s largest data breaches…
Continue reading...

Better Late Than Never — Time to Get Those Cybersecurity Certifications of Compliance into NYDFS

If you are an individual or company regulated by the New York State Department of Financial Services (NYDFS), you may have received an email from NYDFS reminding you to submit your Certification of Compliance as soon as possible. New York’s relatively new cybersecurity regulation, 23 NYCRR 500 (the Regulation), requires all people and companies covered by the Regulation (Covered Entities) to file an annual statement by February 15 certifying that the entity was compliant (Certification of Compliance) with the Regulation as of December 31 of…
Continue reading...