As part of its Virtual Markets Integrity Initiative, on September 18, 2018,  the New York Attorney General’s Office issued a report reviewing the platforms of various cryptocurrency exchanges. The initiative arose from the recognition that online virtual currency exchanges perform functions markedly similar to traditional stock exchanges and broker-dealers, but are generally not registered under state or federal securities or commodities laws and often have not implemented standards designed to protect investors.
Continue Reading New York AG Warns Investors of Risks of Trading on Cryptocurrency Exchanges

On March 1, 2017, New York’s Cybersecurity Regulation (23 NYCRR Part 500)[1] became effective.  The regulation is the first of its kind in the nation and requires certain companies, including banks, insurance companies and other financial services institutions regulated by the Department of Financial Services (“Covered Entities”), to have:

  • a cybersecurity program designed to protect consumers’ private data;
  • a written policy or policies that are approved by the Board of Directors or a senior officer;
  • a Chief Information Security Officer to help protect data and systems; and
  • in place controls and plans to help ensure the safety and soundness of New York’s financial services industry.[2]

In addition, pursuant to the regulation, Covered Entities must report a cybersecurity event if (a) the event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (b) the event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.  Details regarding what makes up such an event are detailed on the New York Department of Financial Services website.[3] 
Continue Reading Compliance With New York’s Cybersecurity Regulation 23 NYCRR Part 500

The proposed New York Department of Financial Services Cybersecurity Requirements for Financial Institutions (the “Regulation”) has many different aspects that are designed to bring about overall improvement in cybersecurity programs. One that has yet to be explored is how the Regulation elevates the role of the Chief Information Security Officer (the “CISO”) beyond the traditional role at many financial services companies. The Regulation has detailed requirements for what must be included in a company’s cybersecurity policy and procedures. While most of the requirements are standard for information security policies, a few place responsibilities for areas of business that are necessary for cybersecurity, but go far beyond cybersecurity within organizations.

One of the requirements is for inclusion of data governance and classification. Data must be appropriately classified and governance rules applied for proper cybersecurity. However, data classification includes many topics, such as licensed data, third party confidential information,  company confidential information, intellectual property and many others. Data governance ensures that data when correctly classified is used in a manner appropriate to the business need, objectives and in compliance with laws and regulations.

The Regulation also requires business continuity and disaster recovery planning and resources be a part of the cybersecurity policy and procedures. In many companies, the executive responsible for these areas and resources is does not report to the CISO. Business continuity and disaster recovery planning also goes far beyond traditional cybersecurity planning, and yet is critical to cybersecurity effectiveness.Continue Reading The (Regulated) Rise of the CISO