As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2022 by page views. If you are not already a Blog subscriber, click here to sign up.

1NYDFS Proposed Significant Changes to Its Cybersecurity Rules

November 30, 2022

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules, which include a mandatory 24-hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts. Following a highly-active pre-proposal comment period, NYDFS announced the publication of the official proposed amendments on November 9, 2022. The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. In these posts, we discuss the key takeaways from the Proposed Amendments. Please also see here and here for answers to the top 10 questions from our webcasts on these proposed changes.

2.  Four Takeaways from the SEC’s Proposed Cybersecurity Rules

February 16, 2022

On February 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.  Many of the proposals follow the trends that members of the Debevoise Data Strategy & Security and White Collar & Regulatory Defense practice groups discussed during a November 2021 webcast on the SEC’s Cybersecurity Year in Review, as well as in our prior Data Blog posts (here and here). In this post, we discuss the key requirements under the proposed rules and key takeaways.

3.  Six Key Takeaways from the SEC’s Most Recent Proposed Cybersecurity Rules for Registrants

March 11, 2022

On March 9, 2022, the SEC released its newest series of proposed cybersecurity rules, this time for all public companies. Consistent with the proposed rules issued last month for investment advisers and funds, which we discussed here, the SEC continues to prioritize cybersecurity disclosures to the marketplace, placing particular emphasis on timely and detailed disclosures of material cybersecurity incidents, as well as on periodic disclosures about cybersecurity risk management and governance. In this post, we discuss the key requirements under the proposed rules and key takeaways.

4.  Recent SEC Enforcement Actions Signal Key Lessons for Reg S-ID Compliance

August 2, 2022

On July 27, 2022, the Securities and Exchange Commission (“SEC”) separately charged three financial institutions with violations of Rule 201 of Regulation S-ID (“Reg S-ID”), also known as the Identity Theft Red Flags Rule (“Red Flags Rule”). The announcement of multiple Reg S-ID enforcement settlements (all of which were investigated by the SEC’s recently expanded Crypto Assets and Cyber Unit and originated from referrals from the Division of Examinations) highlights the SEC’s agency-wide focus on Reg S-ID compliance. Notably, these are the first Reg S-ID cases the SEC has brought since 2018, when the Commission brought its first-ever Reg S-ID action. In this post, we discuss key takeaways from the SEC’s enforcement actions for Reg S-ID compliance.

5.  Time to Update Cyber Incident Response Plans, Especially for Banks Subject to the New 36-Hour Breach Notification Rule

January 19, 2022

As cyberattacks continue to plague U.S. companies, cybersecurity remains a core risk, even for businesses that have invested heavily in technical measures to protect their systems.  As a result, cybersecurity best practices have evolved to include not only preventative measures, but also robust preparations for responding to cyber incidents, so that companies can improve their resilience, decrease the time it takes to detect and effectively respond to an attack, and reduce the overall damage.  Because nearly every company will at some point face a successful attack, regulators, insurers, auditors, and investors view an incident response plan (“IRP”) as a key element of a reasonable cybersecurity program. In this post, we offer key considerations when evaluating and revising IRPs.

6. New Cyber Incident Reporting Coming for Critical Infrastructure: Five Key Takeaways

March 16, 2022

On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”) into law, requiring critical infrastructure entities to report covered cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and report ransom payments to CISA within 24 hours of payment. The Act, which was incorporated into the 2022 Consolidated Appropriations Act and does not take immediate effect, requires CISA to undertake rulemaking to define key elements, including what types of entities constitute critical infrastructure, how a cybersecurity incident is defined, and what should be included in reports to CISA. In this post, we outline key provisions of the Act’s new reporting requirements, and what companies should consider now in order to ensure future compliance in the event of a notifiable cybersecurity incident or ransomware attack where a ransom might be paid.

7. GDPR Technical and Organisational Measures: Lessons from the UK ICO’s £4.4m Data Breach Penalty

October 27, 2022

On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) fined Interserve Group Limited £4.4 million for failing to implement appropriate technical and organisational measures to safeguard 113,000 individuals’ personal data in company HR databases. In this post, we outline what went wrong and lessons for businesses about how to manage the risk of similar incidents and regulatory enforcement action.

8. The EU Digital Operational Resilience Act (DORA): What you need to know and how to prepare

November 21, 2022

On November 28, 2022, the European Union finalized the EU Digital Operational Resilience Act (“DORA”). Following a two year implementation period, DORA will impose far-reaching operational resilience requirements and management oversight requirements on financial services firms – including banks, insurers and private equity firms – as well as critical service providers that, for the first time, will be directly regulated by EU financial services regulators. While aspects of the regime, including details of incident reporting obligations, remain to be decided, the key requirements are now set. In this post, we explore which entities are DORA-covered, its key provisions, and steps that businesses should consider to prepare for the new regime.

9. Unpacking the FTC’s 95 Questions for Commercial Surveillance and Data Security Rulemaking

August 22, 2022

On August 11, 2022, the Federal Trade Commission (“FTC”) announced its Advance Notice of Proposed Rulemaking (“ANPR”) seeking public comment on 95 questions focused on purported harms stemming from “commercial surveillance and lax data security practices.” The ANPR also invites views as to whether new trade regulation rules under Section 18 of the FTC Act, or other regulatory alternatives, are needed to protect consumers’ privacy and information. The FTC indicates that the ANPR is intended to invite comment “on all potential rules, including those currently in force in foreign jurisdictions, individual U.S. states, and other legal jurisdictions.” In this Data Blog series, we explore the FTC’s ANPR as it relates to several areas, including data security.

10. Cyber Whistleblowers: Eight Lessons from the First False Claims Act Settlements

July 20, 2022

On July 8, 2022, the U.S. Department of Justice (the “DOJ”) announced that Aerojet Rocketdyne (“Aerojet”), a California-based aerospace and defense contractor, agreed to pay $9 million to resolve allegations that it violated the False Claims Act (the “FCA”) by misrepresenting its compliance with cybersecurity requirements in federal government contracts. The DOJ’s announcement follows the court’s approval of a tentative settlement reached on April 27, 2022 by Aerojet and the whistleblower who filed the claims. This is the second settlement of cybersecurity-related FCA claims since the DOJ’s announcement of its new Civil Cyber-Fraud Initiative in October 2021, although the claims were brought against Aerojet well before the initiative was launched. In this post, we discuss the Aerojet settlement, the DOJ Civil Cyber Fraud Initiative, and key steps that companies should consider to mitigate the risk of liability under the FCA and better prepare for and respond to cybersecurity-related whistleblower complaints in general.

To subscribe to the Data Blog, please click here.


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at