On June 15, the Securities and Exchange Commission announced a settlement with First American Financial Corporation for what the SEC found were inadequate disclosure controls and procedural violations, revealed in connection with a cyber incident last spring.

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.

"An Act Concerning Data Privacy Breaches" Amends Connecticut's Existing Data Breach Law

HB 6607 became law without the Governor’s signature, and will incentivize the adoption of cybersecurity standards for businesses. The new law will allow businesses that adopt certain cybersecurity practices to escape punitive damages in any cause of action that alleges that a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information” if the action is brought under the laws of the State of Connecticut or in the courts of the State of Connecticut.

In April, the North American Securities Administrators Association (NASAA) published its Investment Adviser Section Annual Report, highlighting its 2020 activities concerning state-registered advisers. In sum, the report paints a statistical picture of the average state-registered adviser in 2020, reports on a sampling of state approaches to managing through the COVID-19 pandemic, and addresses two major NASAA initiatives – the Investment Adviser Policies and Procedures Model Rule and the Investment Adviser Representative Continuing Education Model Rule.

The SEC’s Division of Examinations’ (EXAMS) has made it a priority in 2021 to review the steps that firms take to ensure information security and operational resiliency.

In its report, EXAMS noted that it will scrutinize whether advisers have implemented appropriate measures to oversee vendors and service providers and manage the cybersecurity and privacy risks inherent in those relationships. So what does the agency expect to see from you?

A new trend in privacy law appears to be on the horizon. Earlier this year, Utah joined Ohio on the forefront of jurisdictions that provide data breach safe harbors to entities where certain conditions are met. What can your business learn from this new trend – and will it be coming to your state anytime soon?

Long before I became the president of a cybersecurity company, I could see the writing on the wall: Cybersecurity was becoming a serious threat for businesses large and small. But although I come from a technology background, my experience was in distribution and management, so like most people, I assumed cybersecurity was an issue being taken care of by the folks in the IT department. I’m here to say I was wrong.

While the pandemic shifted numerous industries and the workforce associated with them, working from home will be a trend that remains for the foreseeable future. As more companies work with employees to set up a home office, the question for businesses is how does the company keep a high level of cybersecurity for employees while working from home? Until now, most company associates would report to the office to work within their designated offices. The cybersecurity protocols installed at the office would handle all security aspects for the employees.

After more than a year of working from home, research shows not much has changed when it comes to addressing the remote work cybersecurity challenge. According to the COVID-19 Cybersecurity in the Remote Workforce study, which surveyed more than 5,800 consumers in February 2021, data shows that employees working from home are still placing corporate data at risk, and companies are not taking many new steps to change that.

Even while there has been a 350% increase in ransomware attacks in the last year, security gaps for remote workers continue to be considerable, and support from IT for remote workers hasn’t improved. Consider these key findings:

On April 14, 2021, the New York Department of Financial Services (DFS) announced it settled an enforcement action against National Securities Corporation (“National Securities”) related to claims under the Cybersecurity Regulation, 23 NYCRR Part 500. The Consent Order imposes a $3 million penalty, various remediation measures and represents a flurry of cybersecurity activity by the regulator in the first quarter of 2021.