Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting.

By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman

The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.

On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.

The evolution of cybersecurity-related representations and warranties in M&A transaction documentation has had an impact on financing transactions.

Major M&A transactions and IPOs have become the target of increasingly sophisticated cyberattacks, in some cases affecting thousands of companies along the supply chain. Regulators have responded with stepped-up enforcement, extending their reach not just to victim companies but also to third parties like payment processors and insurance carriers.

Today’s most pressing cybersecurity risks can have a significant effect on borrowers and

Companies should take steps now to prepare for the new rules and expectations.

By Jennifer C. Archie, Tony Kim, Serrin Turner, Alexander L. Stout, Ryan J. Malo, and James A. Smith

The US government continues to expand regulatory requirements around notification and disclosure of major cyberattacks or incidents. New measures are arriving on the heels of high-profile ransomware attacks on US companies and critical infrastructure, such as the Colonial Pipeline hack that caused gas shortages in the eastern United States last summer.

Announced shared cybersecurity priorities across the Executive Branch include:

  • Cyber hygiene in the public and private sector, especially where critical infrastructure is involved
  • Operational collaboration between the public and private sector for tier one events
  • Disruption of the flow of cryptocurrency or other consideration to attackers
  • Fulsome, accurate, timely disclosure to investors and other stakeholders
  • Comprehensive reporting of incidents

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols.

By Jennifer C. Archie, Serrin Turner, and Tim Wybitul

Key Points:

  • The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US.
  • The FBI’s Internet Crime Complaint Center (IC3) estimates that global “exposed dollar losses” to BEC fraud has exceeded US$26 billion in the past three years.[i] In 2019 alone, the IC3 recorded 23,775 complaints about BEC, which resulted in losses worth some US$1.7 billion.
  • All parties to financial transactions must be aware of this fraud risk. Each should put in place not only appropriate security controls for email, but also financial controls for bank account and wiring-instruction verification.

What Is Business Email Compromise?

Business email compromise is a type of Internet-based fraud that typically targets employees with access to company finances — using methods such as social engineering and computer intrusions. The objective of the fraud is to trick the employee into making a wire transfer to a bank account thought to belong to a trusted partner, but that in fact is actually controlled by the fraudster.

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux

As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.

On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.

Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance.

By Hanna Roos and Jennifer Archie

Cybercrime has become a regular feature of global news. The question is not if another attack will happen, but when. Prominent examples include the leak of millions of attorney-client documents from law firms Appleby and Mossack Fonseca, and the “Petya” attack, which brought DLA Piper’s system to a standstill.

Arbitration is also at risk. Parties, arbitrators, counsel, and institutions may be compromised, and the consequences could be serious for the target and the arbitral community as a whole. We explore the risks and consequences in our article, Is our imagination failing us? Call for cybersecurity guidelines in international arbitration.

As the first measure, we advocate a documented assessment of cybersecurity risks at the outset of each arbitration. A bespoke audit helps to avoid both an inadequate cyber security system and a more expensive and complicated system than is necessary. For a checklist of cybersecurity risks to consider at the beginning of an arbitration, see our Practice note, Cybersecurity issues in arbitration: Cybersecurity checklist.

By Jennifer Archie, Alan Avery, Serrin Turner, and Pia Naib

Dozens of financial institutions and trade associations have lodged emphatic objections with the New York State Department of Financial Services (NYSDFS) in response to the Department’s September 28, 2016 Notice of Proposed Rulemaking entitled “Cybersecurity Requirements for Financial Services Companies” (the Proposed Rules). As published for comment in the New York State Register, the Proposed Rules would impose expansive new cybersecurity requirements on entities under NYSDFS’ jurisdiction

By Jennifer Archie, Gail Crawford, Serrin Turner, Hui Xu & Lex Kuo

The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.

What this means for China’s internet users

Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017.

Latham partners Serrin Turner, Jennifer Archie and Jeffrey Tochner sat down with Eric Friedberg, Executive Chairman at Stroz Friedberg, and Matt Olsen, President – Consulting at IronNet Cybersecurity, to discuss current cyberthreat levels and the growing need for companies to devote resources for future risk mitigation.

https://youtu.be/rGuH-mvg9h4

 

By Jennifer Archie, Gail Crawford, Andrew Moyle, Serrin Turner, and Brian Meenagh

Hacking of organizations’ systems is becoming increasingly commonplace, even with advancements in security practices. To mitigate risk, a company must have an enterprise-level, cross-functional incident response plan that is rehearsed and practiced. In the event of an incident a company with a rehearsed plan can avoid delays and mistakes, minimize conflicts between functions, and ensure regulatory, legal and contractual reporting requirements are met.

Take Preventative Action

No one can predict when or how a cybersecurity breach will occur, but organizations should take active steps to prepare. The following five actions can help ensure an organization’s cyber-readiness.

1. Adopt and continuously optimize a formal cybersecurity program:

While any program should be tailored to industry and regulatory schemes, generally the program must have the following core components.