Overall, it is likely that states will continue to emphasize the importance of cybersecurity programs. Some laws could encourage stronger cybersecurity by providing an affirmative defense. Others could mandate certain cybersecurity practices without affording an explicit affirmative defense. No matter the specifics of a statute or even in the absence of a statute, companies will be well-served to implement an industry-recognized cybersecurity framework. Not only will the frameworks likely reduce the frequency or severity of data breaches, but they may also improve a company’s defense against alleged liability in the event a data breach does occur.

Connecticut’s new cybersecurity standards law, which goes into effect on October 1, 2021, protects companies from punitive damages in certain data breach actions where an organization has a cybersecurity program that conforms with an enumerated “industry-recognized cybersecurity framework.” It is the latest in a series of U.S. state efforts to incentivize companies to demonstrate that their cybersecurity programs are aligned with recognized frameworks and thus meet a reasonable standard of care.

It’s not enough to vet third-party technology providers when bringing them onboard because the due diligence evaluation should be ongoing, according to Ben Mathis, chief information officer at Carson Group.

ADVISOR ARMOR COVERAGE INCLUDES UNLIMITED THIRD PARTY CYBERSECURITY VETTING & MONITORING

On multiple fronts, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) continue to increase their focus on cybersecurity. This is understandable as headlines of recent data breaches and ransomware attacks are in the news almost daily. This alert will highlight several of the actions taken by these regulators and proactive measures that financial services companies can implement to avoid the regulatory scrutiny that may follow from a cyber incident.

Laws passed in Ohio, Utah and Connecticut are redefining the idea of reasonable cyber security controls across the US, writes global cyber security thought leader and CS Hub Advisory Board member Kayne McGladrey CISSP

Attorney Brenda Sharton is an old hand at helping companies navigate data breaches. In a typical week, she would work on recovery efforts from two or three cyberattacks—a steady but manageable pace.

Then came the novel coronavirus pandemic, and the volume of attacks skyrocketed.

“Over the course of a long weekend we had nine of them,” she says of one period late last winter.

Hackers thrive on crisis and disruption, says Sharton, litigation partner and global co-chair of the privacy and cybersecurity practice at the law firm Dechert. As businesses follow tentative return-to-office plans even as the Delta variant surges, she worries about another burst of cyberattacks, which this time could include even more financial advisory practices.

Hackers eye all sorts of businesses, but wealth management companies make particularly alluring targets, thanks to their proximity to vast sums of money and the detailed Information they hold on wealthy clients.

“The two holy grails for these people are money movement and data access,” Wealthcare President Matt Regan says of today’s breed of cybercriminals. “Bank robbers rob banks because that’s where the money is, and this is where the money is.”

The US financial market regulator, the Securities and Exchange Commission (SEC), has imposed sanctions on eight broker-dealer and financial advisory companies for lapses in their cybersecurity policies and measures. Three firms are facing a combined monetary penalty of $750,000.

It has been a busy summer for data breach and cybersecurity laws. Several states have shortened their data breach notification timelines, expanded their definitions of personal data breaches triggering notification requirements, or added provisions related to companies' cybersecurity programs.

We summarize the notable changes below. Clients are advised to carefully review these changes and assess whether their existing information security policies and procedures should be updated.

In 2021, the New York Department of Financial Services (NYDFS) is cracking down on companies that fail to comply with the Cybersecurity Regulations set forth in 23 NYCRR Part 500 by imposing millions of dollars in civil penalties. On June 8, 2021, NYDFS issued a series of frequently asked questions (FAQs) to provide guidance with respect to the Cybersecurity Regulations, which impose stringent requirements designed to protect information systems and nonpublic information stored on those systems. On June 30, 2021, NYDFS issued Ransomware Guidance on steps companies should take to prevent or mitigate the risk of a ransomware attack. In addition, NYDFS has encouraged cyber insurers to adopt a Cyber Insurance Risk Framework to measure and manage cyber risk and exposure due to the unprecedented rise and growing losses associated with cyber threats and systemic risk.

When a business suffers a cyber incident, a myriad of legal and regulatory implications follow. To handle such an incident effectively — and legally — it’s crucial to:

• Understand the specific cybersecurity regulations applicable to your company and industry.

• Determine what your company needs to do to achieve compliance.

• Make sure you don’t break the law in how you respond should an incident occur.

The current cyber threat landscape is incredibly active — given the rush to remote work as a result of the pandemic, a significant increase in security incidents has occurred. Meanwhile, hackers — both individuals and nation-states — recognize this and continue to exploit weaknesses in cybersecurity systems and practices.