In a first, bold move by the Securities and Exchange Commission (SEC) following its new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, issued on July 26, 2023, this week, the SEC filed suit against SolarWinds and its Chief Information Security Officer (CISO) alleging that SolarWinds and its CISO

2020 will go down as one of the most stressful in my career as a cybersecurity professional. I have been working in this area of law full time since 2003. So that says a lot.

On top of the stress of the spread of the coronavirus, this has been a particularly stressful year assisting clients

I always enjoy hosting and participating in the CISO Executive Network meetings. The meetings offer Chief Information Security Officers (CISOs) the opportunity to discuss together ways they can improve security in their organizations, get ideas from each other on strategies and products, and vent with colleagues about particular issues and complaints. It gives me great

I have been hanging out a lot with Chief Information Officers (CIO) and Chief Information Security Officers (CISO) these days at speaking engagements and conferences, as October – National Cybersecurity month – is always busy. The topic that keeps coming up in these conversations is phishing and how most ransomware attacks are started because an

Robinson+Cole has the distinct pleasure to host the CISO Executive Network in Hartford and Boston. It is an opportunity to hang out with Chief Information Security Officers (CISOs), develop relationships with them, discuss commonality in the issues they experience, and collaborate on different strategies to address their concerns.

This week the meetings centered around effective

Cybersecurity company Carbon Black recently issued a report of the results of a survey of chief information security officers (CISOs) of financial organizations, which showed that the financial industry is getting hammered by more frequent and sophisticated cyber-attacks. Carbon Black partnered with Optiv to survey banks and financial institutions around the world.

According to the

I hang out with Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs). I support them because they have thankless jobs and have a mountain of responsibilities to protect an organization, most of the time without complete support from the organization. I try to help CISOs and CIOs get the budgeting they need to

On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements:

23 NYCRR

On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.

At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.

However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.Continue Reading The Cyber Regulation Drops

The proposed New York Department of Financial Services Cybersecurity Requirements for Financial Institutions (the “Regulation”) has many different aspects that are designed to bring about overall improvement in cybersecurity programs. One that has yet to be explored is how the Regulation elevates the role of the Chief Information Security Officer (the “CISO”) beyond the traditional role at many financial services companies. The Regulation has detailed requirements for what must be included in a company’s cybersecurity policy and procedures. While most of the requirements are standard for information security policies, a few place responsibilities for areas of business that are necessary for cybersecurity, but go far beyond cybersecurity within organizations.

One of the requirements is for inclusion of data governance and classification. Data must be appropriately classified and governance rules applied for proper cybersecurity. However, data classification includes many topics, such as licensed data, third party confidential information,  company confidential information, intellectual property and many others. Data governance ensures that data when correctly classified is used in a manner appropriate to the business need, objectives and in compliance with laws and regulations.

The Regulation also requires business continuity and disaster recovery planning and resources be a part of the cybersecurity policy and procedures. In many companies, the executive responsible for these areas and resources is does not report to the CISO. Business continuity and disaster recovery planning also goes far beyond traditional cybersecurity planning, and yet is critical to cybersecurity effectiveness.Continue Reading The (Regulated) Rise of the CISO