In 2021, the New York Department of Financial Services (NYDFS) is cracking down on companies that fail to comply with the Cybersecurity Regulations set forth in 23 NYCRR Part 500 by imposing millions of dollars in civil penalties. On June 8, 2021, NYDFS issued a series of frequently asked questions (FAQs) to provide guidance with respect to the Cybersecurity Regulations, which impose stringent requirements designed to protect information systems and nonpublic information stored on those systems. On June 30, 2021, NYDFS issued Ransomware Guidance on steps companies should take to prevent or mitigate the risk of a ransomware attack. In addition, NYDFS has encouraged cyber insurers to adopt a Cyber Insurance Risk Framework to measure and manage cyber risk and exposure due to the unprecedented rise and growing losses associated with cyber threats and systemic risk.

When a business suffers a cyber incident, a myriad of legal and regulatory implications follow. To handle such an incident effectively — and legally — it’s crucial to:

• Understand the specific cybersecurity regulations applicable to your company and industry.

• Determine what your company needs to do to achieve compliance.

• Make sure you don’t break the law in how you respond should an incident occur.

The current cyber threat landscape is incredibly active — given the rush to remote work as a result of the pandemic, a significant increase in security incidents has occurred. Meanwhile, hackers — both individuals and nation-states — recognize this and continue to exploit weaknesses in cybersecurity systems and practices.

On June 15, the Securities and Exchange Commission announced a settlement with First American Financial Corporation for what the SEC found were inadequate disclosure controls and procedural violations, revealed in connection with a cyber incident last spring.

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.

"An Act Concerning Data Privacy Breaches" Amends Connecticut's Existing Data Breach Law

HB 6607 became law without the Governor’s signature, and will incentivize the adoption of cybersecurity standards for businesses. The new law will allow businesses that adopt certain cybersecurity practices to escape punitive damages in any cause of action that alleges that a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information” if the action is brought under the laws of the State of Connecticut or in the courts of the State of Connecticut.

In April, the North American Securities Administrators Association (NASAA) published its Investment Adviser Section Annual Report, highlighting its 2020 activities concerning state-registered advisers. In sum, the report paints a statistical picture of the average state-registered adviser in 2020, reports on a sampling of state approaches to managing through the COVID-19 pandemic, and addresses two major NASAA initiatives – the Investment Adviser Policies and Procedures Model Rule and the Investment Adviser Representative Continuing Education Model Rule.

The SEC’s Division of Examinations’ (EXAMS) has made it a priority in 2021 to review the steps that firms take to ensure information security and operational resiliency.

In its report, EXAMS noted that it will scrutinize whether advisers have implemented appropriate measures to oversee vendors and service providers and manage the cybersecurity and privacy risks inherent in those relationships. So what does the agency expect to see from you?

A new trend in privacy law appears to be on the horizon. Earlier this year, Utah joined Ohio on the forefront of jurisdictions that provide data breach safe harbors to entities where certain conditions are met. What can your business learn from this new trend – and will it be coming to your state anytime soon?

Long before I became the president of a cybersecurity company, I could see the writing on the wall: Cybersecurity was becoming a serious threat for businesses large and small. But although I come from a technology background, my experience was in distribution and management, so like most people, I assumed cybersecurity was an issue being taken care of by the folks in the IT department. I’m here to say I was wrong.

While the pandemic shifted numerous industries and the workforce associated with them, working from home will be a trend that remains for the foreseeable future. As more companies work with employees to set up a home office, the question for businesses is how does the company keep a high level of cybersecurity for employees while working from home? Until now, most company associates would report to the office to work within their designated offices. The cybersecurity protocols installed at the office would handle all security aspects for the employees.