Key takeaways this November include: EU Digital Operation Resilience Act: Financial services firms – including banks, insurers and private equity firms – should start assessing what they will need to do to comply with the extensive obligations in the recently finalised Digital Operation Resilience Act (DORA); Cybersecurity for critical infrastructure: Businesses should check to see if they will be covered…

On December 9th, 2022, Eric Dinallo and Marshal Bozzo of Debevoise’s Insurance Regulatory Group were joined by Avi Gesser and Anna Gressel of the firm’s Data Strategy and Security Group to discuss the latest developments on AI insurance regulation in Colorado.  This was the latest installment in Debevoise’s series of webcasts focused on developments affecting the insurance industry, and included:…

Debevoise & Plimpton LLP has won the “Innovation in Digitizing Legal Services” category of the Financial Times’ North America Innovative Lawyers Awards. The firm was selected for its Data Portal, which consists of a groundbreaking suite of tools that help clients address business critical cybersecurity and AI issues, including: The Cyber Breach Notification Assessment Tool: Allows subscribers to rapidly assess…

On Wednesday, November 30, 2022, Avi Gesser, Co-Chair of the Debevoise Data Strategy and Security Group,  participated in the WSJ Pro Cybersecurity Forum on a panel on Cybersecurity Whistleblowers, along with Kim Nash, Deputy Editor of WSJ Pro Cybersecurity, and Todd Fitzgerald, Vice President of Cybersecurity Strategy at the Cybersecurity Collaborative.  The panel discussed: Why employees blow the whistle poor…

On November 9, 2022, the New York Department of Financial Services (the “NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (the “Proposed Amendments”). The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. We provided our initial thoughts on the Proposed Amendments in a blog post, and then held a webcast…

We recently wrote about how rights-based regulatory regimes for artificial intelligence (as opposed to risk-based frameworks) can lead to a misallocation of resources because compliance will require too much effort on low-risk AI (e.g., spam filters, graphics generation for games, inventory management, etc.) and not enough effort on AI that can actually pose a high risk of harm to consumers…

On 10 November 2022, the European Parliament approved the second network and information systems directive (“NIS2”). Once approved by the Council of the European Union, NIS2 will expand the applicability of the existing NIS Directive and impose updated cybersecurity obligations (in particular on supply chain security and incident reporting) on entities in a wide range of sectors designated as critical…

The EU’s General Data Protection Regulation 2016 (the “GDPR”) changed the global privacy landscape, and has been called the “gold standard” for data protection regulation. Recently, a number of U.S. states have introduced privacy laws, which borrow certain GDPR concepts (the “State Privacy Laws”): the Californian Consumer Rights Privacy Act 2020 (the “CPRA”) which amends the California Consumer Privacy Act…

On 28 November 2022, the European Union finalised the EU Digital Operational Resilience Act (“DORA”). Following a two year implementation period, DORA will impose far-reaching operational resilience requirements and management oversight requirements on financial services firms – including banks, insurers and private equity firms – as well as critical service providers that, for the first time, will be directly regulated…

On Friday, November 18, 2022 at 10:30AM ET, Eric Dinallo, Avi Gesser, Erez Liebermann, Caroline Novogrod Swett, and Johanna Skrzypczyk participated in a webcast examining the new draft amendments to the Part 500 Cybersecurity Rules (“Draft Amendments”) proposed by the New York Department of Financial Services (“NYDFS”) and the implications they may have for insurance companies and other NYDFS-regulated entities.…