As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2022 by page views. If you are not already a Blog subscriber, click here to sign up. 1.  NYDFS Proposed Significant Changes to Its Cybersecurity Rules November 30, 2022 On July 29, 2022, the New York Department of Financial…

On December 5, 2022, the Securities and Exchange Commission (the “SEC”) Division of Examinations (“EXAMS”) published a Risk Alert providing observations from recent examinations relating to investment adviser and broker-dealers’ compliance with Regulation S-ID (“Reg S-ID”), also known as the Identity Theft Red Flags Rule (the “Red Flags Rule”). We previously wrote about the SEC’s July 2022 charges against three…

We last wrote about New York City’s Automated Employment Decision Tool Law (the “AEDT Law” or the “Law”) in September following the release of the proposed rules (“Proposed Rules”) to implement the Law, which requires covered employers to conduct annual independent bias audits and to publicly post a summary of those results.  Now, on December 12, 2022, the New York…

Key takeaways this November include: EU Digital Operation Resilience Act: Financial services firms – including banks, insurers and private equity firms – should start assessing what they will need to do to comply with the extensive obligations in the recently finalised Digital Operation Resilience Act (DORA); Cybersecurity for critical infrastructure: Businesses should check to see if they will be covered…

On December 9th, 2022, Eric Dinallo and Marshal Bozzo of Debevoise’s Insurance Regulatory Group were joined by Avi Gesser and Anna Gressel of the firm’s Data Strategy and Security Group to discuss the latest developments on AI insurance regulation in Colorado.  This was the latest installment in Debevoise’s series of webcasts focused on developments affecting the insurance industry, and included:…

Debevoise & Plimpton LLP has won the “Innovation in Digitizing Legal Services” category of the Financial Times’ North America Innovative Lawyers Awards. The firm was selected for its Data Portal, which consists of a groundbreaking suite of tools that help clients address business critical cybersecurity and AI issues, including: The Cyber Breach Notification Assessment Tool: Allows subscribers to rapidly assess…

On Wednesday, November 30, 2022, Avi Gesser, Co-Chair of the Debevoise Data Strategy and Security Group,  participated in the WSJ Pro Cybersecurity Forum on a panel on Cybersecurity Whistleblowers, along with Kim Nash, Deputy Editor of WSJ Pro Cybersecurity, and Todd Fitzgerald, Vice President of Cybersecurity Strategy at the Cybersecurity Collaborative.  The panel discussed: Why employees blow the whistle poor…

On November 9, 2022, the New York Department of Financial Services (the “NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (the “Proposed Amendments”). The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. We provided our initial thoughts on the Proposed Amendments in a blog post, and then held a webcast…

We recently wrote about how rights-based regulatory regimes for artificial intelligence (as opposed to risk-based frameworks) can lead to a misallocation of resources because compliance will require too much effort on low-risk AI (e.g., spam filters, graphics generation for games, inventory management, etc.) and not enough effort on AI that can actually pose a high risk of harm to consumers…

On 10 November 2022, the European Parliament approved the second network and information systems directive (“NIS2”). Once approved by the Council of the European Union, NIS2 will expand the applicability of the existing NIS Directive and impose updated cybersecurity obligations (in particular on supply chain security and incident reporting) on entities in a wide range of sectors designated as critical…