As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2023 by page views. If you are not already a Blog subscriber, click here to sign up.
1. A Summary of the Final Amendments to the NYDFS Cyber Rules (November 14, 2023)
On November 1, 2023, the New York Department of Financial Services (“NYDFS” or the “Department”) announced the adoption of the second amendment to its Cybersecurity Regulation (the “Second Amendment” or “Final Amendment”) that reflects NYDFS’s revisions as a result of comments it received on the proposed amendment released in June 2023 (the “June 2023 Proposal”). In this post, and the accompanying webcast, we discuss the changes in the Final Amendment, as well as the new timeline for their implementation.
2. The SEC’s 2024 Examination Priorities: Continued Scrutiny of Cybersecurity Policies and Procedures (October 18, 2023)
On October 16, 2023, the SEC’s Division of Examinations (“EXAMS”) issued its 2024 Examination Priorities (the “2024 Priorities”). The 2024 Priorities reflect the Commission’s continued scrutiny of information security and operational resiliency at registrants and the risks posed by third-party service providers, as well as new attention to artificial intelligence and other forms of so-called emerging financial technology.
3. FTC Adopts Broad Breach Notification Amendment to Its Safeguards Rule (October 30, 2023)
On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment (“Amended Rule”) to the Standards for Safeguarding Customer Information (the “Safeguards Rule”) that will require non-banking financial institutions (“covered entities”) to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unauthorized acquisition of unencrypted customer information of at least 500 consumers. The Amended Rule, which applies to all covered entities subject to the Safeguards Rule, will be effective on May 13, 2024. In this post, we discuss the Amended Rule’s requirements and potential impacts.
4. Lessons from The Financial Stability Board’s Report on Cyber Incident Reporting (May 31, 2023)
In a report published in April 2023, “Recommendations to Achieve Greater Convergence in Cyber Incident Reporting: Final Report,” the Financial Stability Board (FSB) provided incisive commentary on practical issues and challenges to achieving greater convergence in cyber incident reporting and made sixteen recommendations, principally directed to financial authorities, to improve the situation. In this post, we summarize the FSB Report and its key recommendations, and explain how financial institutions may wish to leverage the FSB Report.
5. National Cybersecurity Strategy (Part 2): The White House Targets Threat Actors and Urges International Partnerships (August 15, 2023)
The White House has certainly been true to its word on pushing forward on cyber. In July 2023, following the release of the Biden Administration’s (“the Administration”) National Cybersecurity Strategy (the “Strategy”), the Administration announced its Implementation Plan, detailing initiatives to execute the Strategy. Following that, the White House Office of the National Cyber Director (“ONCD”) announced a request for information (“RFI”) on cybersecurity regulatory harmonization by September 15, and the Administration also unveiled its National Cyber Workforce and Education Strategy. As we wrote in Part 1, the Strategy is organized into five pillars, each with its own strategic objectives. In Part 2, we discuss pillars 2 and 5, which address the government’s efforts to disrupt and dismantle cyber threats and forge international partnerships around cybersecurity. In Part 3, we will cover the Implementation Plan.
6. Takeaways from Proposed Changes to the NIST Cybersecurity Framework (February 27, 2023)
Risk assessments are a critical component of a robust cybersecurity program. To benchmark their risk assessments and cybersecurity maturity reviews, companies often look to recognized industry standards such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF” or “the Framework”). In this post, we discuss proposed changes to the Framework and offer takeaways for companies that use the Framework for cybersecurity risk assessments.
7. A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations (March 20, 2023)
On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include proposed new cybersecurity rules for broker dealers, amendments to Regulation S-P, and amendments to Regulation SCI. In this post, as well as our accompanying webcast, we outline the key requirements of the Proposed Rules and offer key takeaways to help firms navigate and prepare for the likely adoption of a version of these complex regulations. The SEC’s Fall 2023 Regulatory Agenda was posted on December 6, 2023. The SEC has indicated its plans to issue final rules for Market Entities, Amendments to Reg SCI, and Amendments to Reg S-P in April 2024.
8. Security by Design and Default: CISA Looks to Drive Changes in Manufacturer Responsibility, Consumer Education and Private-Public Information Sharing (August 14, 2023)
In June 2023, the Aspen Institute hosted a fireside chat with Jen Easterly, Director of the Cybersecurity Infrastructure Security Agency (“CISA”) to discuss current developments in cybersecurity and how the government is responding. Aligned with the White House’s National Cybersecurity Strategy released earlier this year and the May 2021 Executive Order on Improving the Nation’s Cybersecurity, Easterly discussed CISA’s security by design and default initiative, which builds upon existing global proposals to shift responsibility for security from consumers to software manufacturers and distributors. This post discusses key observations shared during the event, as well as some considerations for companies to take into account in response to CISA’s initiatives and commentary. Since the event, CISA continues to update its “Secure by Design” page with resources and cybersecurity alerts.
9. Report Underscores FINRA’s Focus on Cybersecurity (January 18, 2023)
On January 10, 2023, the Financial Industry Regulatory Authority (“FINRA”) published its 2023 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”), which is intended to provide member firms with key considerations and observations to use in enhancing their compliance programs. The Report discusses 24 topics relevant to the securities industry, including cybersecurity, as cyber threats continue to evolve and present critical risks to many customers and firms. This post discusses FINRA’s continued focus on cybersecurity as well as key insights and effective practices from the Report for firms to consider for their cybersecurity programs.
10. Lessons Learned from DOJ’s Takedown of Hive Ransomware (January 27, 2023)
On January 26, 2022, the FBI, DOJ, and international law enforcement partners dropped a bombshell of an announcement: they had dismantled the infrastructure of one of the most prolific ransomware groups. Hive Ransomware has long been known as an extremely active group, responsible for many ransomware attacks, including against hospitals. But the full extent of the Hive network was unknown until DOJ unsealed the affidavit seizing the servers used by Hive. Perhaps the biggest bombshell revealed by DOJ was that for months the FBI has had access to Hive’s computer networks and was able to swipe decryption keys and pass them on to victims of ransomware attacks. In this post, we discuss the key takeaways that can be learned from the Hive takedown.
***
To subscribe to the Data Blog, please click here.
