With about a month to go until the first set of NYDFS’s cybersecurity rules go into effect (on August 28, 2017), we are proud to announce the formal launch of the Davis Polk Cyber Blog.  The blog will help you keep pace with industry best practices and be aware of your company’s cybersecurity obligations, including those relating to the NYDFS rules.  Aside from posts about developments in cybersecurity, the blog includes information about our Data Breach Notification Resource Portal.  This Portal allows clients to quickly assess their cyber breach notification obligations under all 48-state law regimes, as well as various federal notification statutes, by answering a series of questions.  A video demonstration of our Portal, which is currently in beta testing, is available upon request.

The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns.  The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a lasting impact on cybersecurity regulations and expectations in general.  Covered companies have one month left to have the following measures in place:

  • Designate a Chief Information Security Officer (“CISO”);
  • Implement the required elements of a cybersecurity program, cybersecurity policies, and an incident response plan;
  • Regulate access privileges for information systems;
  • Ensure that required cybersecurity personnel are in place; and
  • Be prepared to notify the NYDFS within 72 hours of certain cybersecurity events.

The rules also require that companies conduct a risk assessment, but that deadline (along with the deadline for the CISO report to the Board, training, penetration testing, and multifactor authentication) is not until March 1, 2018.  However, because of the express connections between the risk assessment and many of the obligations set forth in the rules (most recently, the notice requirement, as reflected in the updated NYDFS FAQ described in our recent blog post) many companies are aiming to conduct their risk assessment early, so that it can be factored into the certification process that must be completed by February 15, 2018.

The cybersecurity events that trigger the 72-hour notice requirement include those that:

  • Require notice to be provided to any other government body, self-regulatory agency, or supervisory body; or
  • Create a reasonable likelihood of materially harming any part of the normal operation of your company.

Beyond those NYDFS-regulated entities that are directly subject to the rules, thousands of vendors of those firms will be required to comply with the rules because the companies that they serve are obligated to impose the requirements on their vendors.

More broadly, as discussed in our recent Webcast about NYDFS cyber compliance last month, the rules may become considered as industry best practices for cybersecurity.  As a result, many companies that are not subject to the rules will, for a variety of reasons, want to be able to say that they meet the NYDFS requirements.

For more details on issues regarding these obligations, please visit the Cyber Blog.

Print:
EmailTweetLinkedIn
Photo of Avi Gesser Avi Gesser

Mr. Gesser is a partner in Davis Polk’s Litigation Department.  He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who…

Mr. Gesser is a partner in Davis Polk’s Litigation Department.  He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations.  He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force.  In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

Photo of Antonio J. Perez-Marques Antonio J. Perez-Marques

Mr. Perez-Marques is a partner in Davis Polk’s Litigation Department. His practice spans complex commercial litigation, including securities and M&A-related litigation, as well as securities enforcement and white collar matters. He also has extensive experience advising Spanish, Latin American and other foreign clients…

Mr. Perez-Marques is a partner in Davis Polk’s Litigation Department. His practice spans complex commercial litigation, including securities and M&A-related litigation, as well as securities enforcement and white collar matters. He also has extensive experience advising Spanish, Latin American and other foreign clients concerning U.S. litigation matters, and domestic clients concerning overseas and cross-border disputes. [Full Bio]

Photo of Reuben Grinberg Reuben Grinberg

Mr. Grinberg is an associate in Davis Polk’s Financial Institutions Group. His practice focuses on advising financial institutions and industry groups on a wide range of bank regulatory and cybersecurity matters. He also provides strategic, transactional and regulatory advice to a wide array…

Mr. Grinberg is an associate in Davis Polk’s Financial Institutions Group. His practice focuses on advising financial institutions and industry groups on a wide range of bank regulatory and cybersecurity matters. He also provides strategic, transactional and regulatory advice to a wide array of both established and emerging participants in the FinTech space, including the regulatory treatment of virtual currencies and blockchain.

Photo of Joseph Garmon Joseph Garmon

Mr. Garmon is an associate in Davis Polk’s Litigation Department. His practice focuses on civil litigation, white collar defense and cybersecurity regulatory and compliance issues.