When the New York Department of Financial Services (“NYDFS”) issued its new cybersecurity rules in March, one question came up frequently: When are covered entities required to report an unsuccessful cyber attack? The rules provide that notification must be made to the NYDFS within 72 hours from a determination that a cybersecurity event has occurred that has a reasonable likelihood of materially harming normal operations, and the definition of a cybersecurity event includes an unsuccessful … Continue Reading
In a Risk Perspective released on July 7, 2017, the Office of the Comptroller of the Currency (“OCC”) emphasized the need for institutions to be cyber resilient – i.e., be able to respond to cyber attacks by managing various risks. Acting Comptroller Keith Noreika noted in a speech on the same day that “[e]ffective risk management promotes timely detection, response and escalation of operational issues to reduce customer impact due to product failures, possible fraud, … Continue Reading
Three recent cybersecurity events highlight the need for companies to review their access controls to limit who has administrator privileges and how long those elevated privileges last.
First, this week, computer malware that has variously been called PetyaWrap, WannaCry2, GoldenEye and NotPetya began spreading in dozens of countries, encrypting computers and informing users that they could unlock their machines by paying a $300 ransom. Although the malware first appeared to function as ransomware, it now … Continue Reading
A new report from the Ponemon Institute indicates that less than half of the nearly 600 financial institutions surveyed expect to meet the February 2018 deadline for certification of compliance with all of the cybersecurity rules from NY DFS that are applicable to them. Of those, nearly one-quarter said there was “no chance” they would be able to do so. Notwithstanding these challenges, the DFS has indicated on the FAQ section of its website that … Continue Reading
We are pleased to announce that client beta testing has begun for the Davis Polk Data Breach Notification Resource Portal—a secure online suite of tools designed to assist clients in preparing and planning for a possible data breach, and help them comply with state and federal law obligations to inform customers, regulators, and law enforcement. Utilizing a simple, query-based portal, the Notification Assessment Tool allows clients to receive rapid privileged legal advice on notification … Continue Reading
We have issued a memo on recent proposed U.S. federal banking regulations that could significantly expand the existing cybersecurity regulatory framework for covered financial institutions. The Enhanced Standards intend to strengthen cyberattack preventative measures and post-attack responses.
On October 25, 2016 FinCEN issued an advisory and FAQs to financial institutions regarding their Suspicious Activity Report (SAR) obligations with respect to cyber-events, cyber-enabled crime, and cyber-related information as those terms are defined. The FAQs supersede previous FAQs issued in 2001. The advisory and FAQ also discuss collaboration between in-house BSA/AML teams (e.g., noting that the BSA/AML teams need not have personnel devoted … Continue Reading
We have issued a memo on recent proposed cybersecurity regulations by the New York State Department of Financial Services that would be more stringent than existing federal requirements for certain financial entities. The memo highlights similarities and differences between the proposed regulations and federal regulations and guidance.
On March 2, 2016, the CFPB announced that it had settled an enforcement action with Dwolla, Inc., an online payment platform, for making allegedly deceptive statements regarding its data security practices and the safety of its online payment system. Dwolla agreed to pay a $100,000 civil penalty and to undertake measures to improve its data security.… Continue Reading
We have issued a memo on a rising trend in business email scams, which if successful, could trigger data breach notification obligations.