Debevoise Discusses the New SEC Cybersecurity Guidance

On February 21, 2018, the SEC issued new Guidance regarding cybersecurity disclosure and governance requirements applicable to SEC reporting companies. In our earlier Client Update on this topic, we discussed the disclosure considerations addressed in the Guidance. In this Client Update, we focus on the cyber-related governance issues addressed in the Guidance[1].

Cybersecurity and Risk Governance

The Guidance addresses three governance topics in the context of cybersecurity: (1) the adoption and regular assessment of cyber-related disclosure controls and procedures; (2) the establishment of policies and procedures to address the risk of insider trading based on material nonpublic cybersecurity … Read more

Debevoise Analyzes Revised New York Cybersecurity Regulation for the Financial Sector

New York’s Department of Financial Services (DFS or the Department) has responded to a large volume of comments about its proposed, sweeping cybersecurity regulation for banks, insurers and other financial service providers by softening a number of provisions that many in the industry had criticized as onerous and overly prescriptive. On December 28, 2016, the Department published a revised regulation (the Revised Draft Regulation)[1] that altered its original, “first-in-the-nation” proposal issued on September 13, 2016 (the Original Draft Regulation).

Many had argued that the Original Draft Regulation should be more risk-based, along the lines of the NIST Cybersecurity Framework … Read more

Debevoise & Plimpton discusses New York’s Proposed Cyber Regulations

On September 13, 2016, the New York Department of Financial Services (“DFS” or the “Department”) issued proposed regulations (the “Proposed Regulations”) designed to guard against the onslaught of cyber-attacks faced by banks, insurance companies and other financial services providers.[1] Billed by Governor Andrew Cuomo as a means to assure that regulated banks and insurance companies “protect consumers and ensure that [their] systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible,” the Proposed Regulations provide a baseline with respect to companies’ cybersecurity practices regardless of the size, nature or complexity of the business.[2] Though they mirror … Read more