Presenting a live 90-minute webinar with interactive Q&A

Navigating New York's New CybersecurityRegulations and Federal Guidance forBanks and Other Financial InstitutionsComplying With New York DFS Regulations, Avoiding Federal Enforcement Actions for Data Breaches

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

WEDNESDAY, APRIL 12, 2017

The audio portion of the conference may be accessed via the telephone or by using your computer'sspeakers. Please refer to the instructions emailed to registrants for additional information. If youhave any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

Mark L. Krotoski, Partner, Morgan Lewis & Bockius, Palo Alto, Calif.

Joseph D. Simon, Partner, Cullen and Dykman, Garden City, N.Y.

Tips for Optimal Quality

Sound QualityIf you are listening via your computer speakers, please note that the qualityof your sound will vary depending on the speed and quality of your internetconnection.

If the sound quality is not satisfactory, you may listen via the phone: dial1-866-873-1442 and enter your PIN when prompted. Otherwise, pleasesend us a chat or e-mail sound@straffordpub.com immediately so we canaddress the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen,press the F11 key again.

FOR LIVE EVENT ONLY

Sound QualityIf you are listening via your computer speakers, please note that the qualityof your sound will vary depending on the speed and quality of your internetconnection.

If the sound quality is not satisfactory, you may listen via the phone: dial1-866-873-1442 and enter your PIN when prompted. Otherwise, pleasesend us a chat or e-mail sound@straffordpub.com immediately so we canaddress the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen,press the F11 key again.

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm yourparticipation in this webinar by completing and submitting the AttendanceAffirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you emailthat you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926ext. 35.

FOR LIVE EVENT ONLY

In order for us to process your continuing education credit, you must confirm yourparticipation in this webinar by completing and submitting the AttendanceAffirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you emailthat you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926ext. 35.

Program Materials

If you have not printed the conference materials for this program, pleasecomplete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see aPDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, pleasecomplete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see aPDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

April 12, 2017

Mark L. Krotoski, Morgan LewisJoseph D. Simon, Cullen and Dykman

Before we begin:

Please note that the views expressed during thispresentation are those of each speaker, and notnecessarily those of the agency or employer thatthey work for or of any of their clients.

Before we begin:

Please note that the views expressed during thispresentation are those of each speaker, and notnecessarily those of the agency or employer thatthey work for or of any of their clients.

6

Morgan Lewis litigation partner in the privacy and cybersecurity and Antitrustpractices.

National Coordinator for the Department of Justice (DOJ) Computer Hackingand Intellectual Property (CHIP) Program in Washington, DC. and as a CHIPprosecutor in Silicon Valley, among other DOJ leadership positions.◦ Successfully led prosecutions and investigations of nearly every type of international

and domestic computer intrusion, cybercrime, and criminal intellectual propertycase.

◦ Proficient on foreign economic espionage cases involving the theft of trade secretswith the intent to benefit a foreign government.

◦ He and his team successfully prosecuted two of the first foreign economic espionagecases authorized by DOJ under the Economic Espionage Act.

◦ Developed and led DOJ training efforts on computer crimes, economic espionage,and the collection of electronic evidence during an investigation and admission intoevidence at trial, among other related topics.

Advises clients on developing effective Cybersecurity and Trade SecretProtection Plans and in responding to a data breach incident ormisappropriation of trade secrets. He has written extensively on theseissues.

Morgan Lewis litigation partner in the privacy and cybersecurity and Antitrustpractices.

National Coordinator for the Department of Justice (DOJ) Computer Hackingand Intellectual Property (CHIP) Program in Washington, DC. and as a CHIPprosecutor in Silicon Valley, among other DOJ leadership positions.◦ Successfully led prosecutions and investigations of nearly every type of international

and domestic computer intrusion, cybercrime, and criminal intellectual propertycase.

◦ Proficient on foreign economic espionage cases involving the theft of trade secretswith the intent to benefit a foreign government.

◦ He and his team successfully prosecuted two of the first foreign economic espionagecases authorized by DOJ under the Economic Espionage Act.

◦ Developed and led DOJ training efforts on computer crimes, economic espionage,and the collection of electronic evidence during an investigation and admission intoevidence at trial, among other related topics.

Advises clients on developing effective Cybersecurity and Trade SecretProtection Plans and in responding to a data breach incident ormisappropriation of trade secrets. He has written extensively on theseissues.

7

Phone: 650.843.7212, Email: mark.krotoski@morganlewis.com

Cullen and Dykman partner in the banking and financial services practicearea.

Advises financial institutions on a wide range of issues, includingcybersecurity, data breach responses, financial privacy, Truth-in-Lending, RESPA, Truth-in-Savings, transactions with affiliates, lendinglimits, electronic banking, banking operations, and currency transactionand IRS reporting obligations.

Recipient of a JD Supra Reader’s Choice Award in both 2016 and 2017for being one of the top authors in the country with respect toreadership and engagement in the area of Banking/Financial Services.

Author of “CFPB Mortgage Rules Under the Dodd-Frank Act,” a volume ofBloomberg BNA’s Banking Portfolio Series. The portfolio provides acomprehensive overview of mortgage rules issued by the ConsumerFinancial Protection Bureau under the Dodd-Frank Act.

Cullen and Dykman partner in the banking and financial services practicearea.

Advises financial institutions on a wide range of issues, includingcybersecurity, data breach responses, financial privacy, Truth-in-Lending, RESPA, Truth-in-Savings, transactions with affiliates, lendinglimits, electronic banking, banking operations, and currency transactionand IRS reporting obligations.

Recipient of a JD Supra Reader’s Choice Award in both 2016 and 2017for being one of the top authors in the country with respect toreadership and engagement in the area of Banking/Financial Services.

Author of “CFPB Mortgage Rules Under the Dodd-Frank Act,” a volume ofBloomberg BNA’s Banking Portfolio Series. The portfolio provides acomprehensive overview of mortgage rules issued by the ConsumerFinancial Protection Bureau under the Dodd-Frank Act.

8

Phone: (516) 357-3710, Email: jsimon@cullenanddykman.com

New York State’s Cybersecurity Regulation

Federal Agency Enforcement Actions

Federal Agency Joint ANPR

New York State’s Cybersecurity Regulation

Federal Agency Enforcement Actions

Federal Agency Joint ANPR

9

10

Regulation issued by the New York StateDepartment of Financial Services (23 NYCCR500)

First of its kind regulation by any state

Requires a “Covered Entity” to adopt acybersecurity program and policy to prevent,detect and respond to cybersecurity threats

Flexible but robust requirements, allowing forcompliance on a risk-based approach

Regulation issued by the New York StateDepartment of Financial Services (23 NYCCR500)

First of its kind regulation by any state

Requires a “Covered Entity” to adopt acybersecurity program and policy to prevent,detect and respond to cybersecurity threats

Flexible but robust requirements, allowing forcompliance on a risk-based approach

11

Extensive obligations on entities subject to theregulation

Imposes requirements on certain companiesthat may never have considered cybersecurityrisks

Major focus on third party service providers

Likely the template for other states and federalregulators

Extensive obligations on entities subject to theregulation

Imposes requirements on certain companiesthat may never have considered cybersecurityrisks

Major focus on third party service providers

Likely the template for other states and federalregulators

12

Final Regulation issued February 16, 2017

Effective date March 1, 2017, but delayedcompliance dates

Compliance required on August 28, 2017 forseveral provisions

Compliance with other provisions on March 1,2018, September 3, 2018, and March 1, 2019

Final Regulation issued February 16, 2017

Effective date March 1, 2017, but delayedcompliance dates

Compliance required on August 28, 2017 forseveral provisions

Compliance with other provisions on March 1,2018, September 3, 2018, and March 1, 2019

13

“Covered Entity”◦ Any “Person” (an individual or non-government entity) operating

under or required to operate under a license, registration, charter,certificate, permit, accreditation or similar authorization underNew York’s Banking Law, Insurance Law, or Financial Services Law

◦ Covers all types of entities chartered, licensed or registered inNew York State, including banks and credit unions, insurancecompanies and agencies, residential mortgage bankers andbrokers, and check cashers

◦ Non-New York entities take note: Even if you are not chartered inNew York, a subsidiary or affiliate that operates in New York maybe a “Covered Entity,” such as: Insurance agency Residential mortgage banking company

“Covered Entity”◦ Any “Person” (an individual or non-government entity) operating

under or required to operate under a license, registration, charter,certificate, permit, accreditation or similar authorization underNew York’s Banking Law, Insurance Law, or Financial Services Law

◦ Covers all types of entities chartered, licensed or registered inNew York State, including banks and credit unions, insurancecompanies and agencies, residential mortgage bankers andbrokers, and check cashers

◦ Non-New York entities take note: Even if you are not chartered inNew York, a subsidiary or affiliate that operates in New York maybe a “Covered Entity,” such as: Insurance agency Residential mortgage banking company

14

Exemptions from certain requirements for a Covered Entity:◦ With fewer than 10 employees (including independent contractors) of the Covered

Entity or its Affiliates located in New York or responsible for business of the CoveredEntity; or

◦ With less than $5,000,000 in gross annual revenue in each of the last three fiscalyears from New York business operations of the Covered Entity and its Affiliates; or

◦ With less than $10,000,000 in year-end total assets, calculated in accordance withGAAP, including assets of all Affiliates; or

◦ That does not directly or indirectly operate, maintain, utilize or control anyInformation Systems, and does not, and is not required to, control, own, access,generate, receive or possess Nonpublic Information; or

◦ That is a captive reinsurance company and does not, and is not required to, control,own, access, generate, receive or possess Nonpublic Information other thaninformation relating to its corporate parent (or affiliates)

Notice of exemption must be filed with DFS

Full exemption from the Cybersecurity Regulation for certain charitableannuity societies, risk retention groups and reinsurers

Exemptions from certain requirements for a Covered Entity:◦ With fewer than 10 employees (including independent contractors) of the Covered

Entity or its Affiliates located in New York or responsible for business of the CoveredEntity; or

◦ With less than $5,000,000 in gross annual revenue in each of the last three fiscalyears from New York business operations of the Covered Entity and its Affiliates; or

◦ With less than $10,000,000 in year-end total assets, calculated in accordance withGAAP, including assets of all Affiliates; or

◦ That does not directly or indirectly operate, maintain, utilize or control anyInformation Systems, and does not, and is not required to, control, own, access,generate, receive or possess Nonpublic Information; or

◦ That is a captive reinsurance company and does not, and is not required to, control,own, access, generate, receive or possess Nonpublic Information other thaninformation relating to its corporate parent (or affiliates)

Notice of exemption must be filed with DFS

Full exemption from the Cybersecurity Regulation for certain charitableannuity societies, risk retention groups and reinsurers

15

A Covered Entity must maintain a cybersecurity program designed to ensurethe confidentiality, integrity and availability of the Covered Entity’sInformation Systems

The cybersecurity program must be based on the Covered Entity’s RiskAssessment and be designed to perform core cybersecurity functions, suchas:◦ identifying and assessing internal and external cybersecurity risks that may threaten the

security or integrity of Nonpublic Information stored on the Covered Entity’s InformationSystems

◦ using defensive infrastructure and the implementation of policies and procedures to protectthe Covered Entity’s Information Systems, and the Nonpublic Information stored on thosesystems, from unauthorized access, use or other malicious acts

◦ detecting Cybersecurity Events◦ responding to identified or detected Cybersecurity Events◦ recovering from Cybersecurity Events and restoring normal operations and services◦ fulfilling applicable regulatory reporting obligations

“Cybersecurity Event” means any act or attempt, successful or unsuccessful,to gain unauthorized access to, disrupt or misuse an Information System orinformation stored on such Information System

A Covered Entity must maintain a cybersecurity program designed to ensurethe confidentiality, integrity and availability of the Covered Entity’sInformation Systems

The cybersecurity program must be based on the Covered Entity’s RiskAssessment and be designed to perform core cybersecurity functions, suchas:◦ identifying and assessing internal and external cybersecurity risks that may threaten the

security or integrity of Nonpublic Information stored on the Covered Entity’s InformationSystems

◦ using defensive infrastructure and the implementation of policies and procedures to protectthe Covered Entity’s Information Systems, and the Nonpublic Information stored on thosesystems, from unauthorized access, use or other malicious acts

◦ detecting Cybersecurity Events◦ responding to identified or detected Cybersecurity Events◦ recovering from Cybersecurity Events and restoring normal operations and services◦ fulfilling applicable regulatory reporting obligations

“Cybersecurity Event” means any act or attempt, successful or unsuccessful,to gain unauthorized access to, disrupt or misuse an Information System orinformation stored on such Information System

16

A Covered Entity may adopt the relevantand applicable provisions of a cybersecurityprogram maintained by an Affiliate,provided such provisions satisfy therequirements of the CybersecurityRegulation, as applicable to the CoveredEntity

Having the cybersecurity program based ona Risk Assessment provides flexibility

A Covered Entity may adopt the relevantand applicable provisions of a cybersecurityprogram maintained by an Affiliate,provided such provisions satisfy therequirements of the CybersecurityRegulation, as applicable to the CoveredEntity

Having the cybersecurity program based ona Risk Assessment provides flexibility

17

A Covered Entity must implement and maintain awritten cybersecurity policy setting forth theCovered Entity’s policies and procedures for theprotection of its Information Systems andNonpublic Information stored on those systems

“Nonpublic Information” is broadly defined toinclude business-related information as well ascustomer information

The policy must be approved by the CoveredEntity’s board of directors or a Senior Officer

A Covered Entity must implement and maintain awritten cybersecurity policy setting forth theCovered Entity’s policies and procedures for theprotection of its Information Systems andNonpublic Information stored on those systems

“Nonpublic Information” is broadly defined toinclude business-related information as well ascustomer information

The policy must be approved by the CoveredEntity’s board of directors or a Senior Officer

18

The policy must be based on the Covered Entity’s RiskAssessment and, to the extent applicable, must address:

◦ information security◦ data governance and classification◦ asset inventory and device management◦ access controls and identity management◦ business continuity and disaster recovery planning and resources◦ systems operations and availability concerns◦ systems and network security◦ systems and network monitoring◦ systems and application development and quality assurance◦ physical security and environmental controls◦ customer data privacy◦ vendor and Third Party Service Provider management◦ risk assessment◦ incident response

The policy must be based on the Covered Entity’s RiskAssessment and, to the extent applicable, must address:

◦ information security◦ data governance and classification◦ asset inventory and device management◦ access controls and identity management◦ business continuity and disaster recovery planning and resources◦ systems operations and availability concerns◦ systems and network security◦ systems and network monitoring◦ systems and application development and quality assurance◦ physical security and environmental controls◦ customer data privacy◦ vendor and Third Party Service Provider management◦ risk assessment◦ incident response

19

Covered Entities must conduct a periodic Risk Assessmentof Information Systems

Many of the regulation’s requirements are tied to the RiskAssessment

Risk Assessment to be based on:◦ Criteria for evaluating and categorizing identified risks or threats◦ Criteria for the assessment of the confidentiality, integrity, security

and availability of the Covered Entity’s Information Systems andNonpublic Information

◦ Requirements describing how identified risks will be mitigated oraccepted and how the cybersecurity program will address the risks

Risk Assessment to be updated as reasonably necessary toaddress changes in Information Systems, NonpublicInformation or business operations

Covered Entities must conduct a periodic Risk Assessmentof Information Systems

Many of the regulation’s requirements are tied to the RiskAssessment

Risk Assessment to be based on:◦ Criteria for evaluating and categorizing identified risks or threats◦ Criteria for the assessment of the confidentiality, integrity, security

and availability of the Covered Entity’s Information Systems andNonpublic Information

◦ Requirements describing how identified risks will be mitigated oraccepted and how the cybersecurity program will address the risks

Risk Assessment to be updated as reasonably necessary toaddress changes in Information Systems, NonpublicInformation or business operations

20

A Covered Entity must designate a qualified individualto oversee and implement cybersecurity program andenforce its cybersecurity policy

This requirement may be met by using the CISO of anAffiliate or Third Party Service Provider so long as theCovered Entity:◦ Retains responsibility for compliance with this Part;◦ Designates a senior member of its personnel to

oversee the work of the CISO;◦ Requires the Third Party Service Provider to maintain a

cybersecurity program that protects Covered Entity inaccordance with this Part.

A Covered Entity must designate a qualified individualto oversee and implement cybersecurity program andenforce its cybersecurity policy

This requirement may be met by using the CISO of anAffiliate or Third Party Service Provider so long as theCovered Entity:◦ Retains responsibility for compliance with this Part;◦ Designates a senior member of its personnel to

oversee the work of the CISO;◦ Requires the Third Party Service Provider to maintain a

cybersecurity program that protects Covered Entity inaccordance with this Part.

21

Responsibilities of CISO:

◦ Report to board of directors or equivalent governingbody at least annually

◦ If no such board of directors or equivalent governingbody exists, the CISO shall timely present the reportto a Senior Officer responsible for the Covered Entity’scybersecurity program

◦ In making the report, the CISO should consider: Confidentiality of Nonpublic Information and the

integrity/security of Information Systems The cybersecurity program and policies generally Material cybersecurity risks to the Covered Entity Overall effectiveness of cybersecurity program Material Cybersecurity Events during time period of report

Responsibilities of CISO:

◦ Report to board of directors or equivalent governingbody at least annually

◦ If no such board of directors or equivalent governingbody exists, the CISO shall timely present the reportto a Senior Officer responsible for the Covered Entity’scybersecurity program

◦ In making the report, the CISO should consider: Confidentiality of Nonpublic Information and the

integrity/security of Information Systems The cybersecurity program and policies generally Material cybersecurity risks to the Covered Entity Overall effectiveness of cybersecurity program Material Cybersecurity Events during time period of report

22

Must conduct monitoring and testing designed to assess effectiveness of theCovered Entity’s cybersecurity program

Continuous monitoring or periodic Penetration Testing and vulnerabilityassessments

If not continuous monitoring, then:◦ Penetration Testing of Information Systems performed annually, and◦ Vulnerability assessments, designed to identify publicly known

cybersecurity vulnerabilities in Information Systems, performed bi-annually

Penetration Testing means attempts to circumvent or defeat security featuresof Information Systems from both inside and outside the Covered Entity’sInformation Systems

If contracting with third party for Penetration Testing of vulnerabilityassessments, consider contracting through counsel to establish privilege

Must conduct monitoring and testing designed to assess effectiveness of theCovered Entity’s cybersecurity program

Continuous monitoring or periodic Penetration Testing and vulnerabilityassessments

If not continuous monitoring, then:◦ Penetration Testing of Information Systems performed annually, and◦ Vulnerability assessments, designed to identify publicly known

cybersecurity vulnerabilities in Information Systems, performed bi-annually

Penetration Testing means attempts to circumvent or defeat security featuresof Information Systems from both inside and outside the Covered Entity’sInformation Systems

If contracting with third party for Penetration Testing of vulnerabilityassessments, consider contracting through counsel to establish privilege

23

Based upon the overall Risk Assessment, a Covered Entitymust implement written policies and procedures designedto ensure the security of Information Systems andNonpublic Information accessible to, or held by, ThirdParty Service Providers (“TPSPs”)

Policies and procedures should address the following (tothe extent applicable):◦ The identification and risk assessment of TPSPs◦ Minimum cybersecurity practices required to be met by TPSPs in

order for them to do business with the Covered Entity◦ Due diligence processes used to evaluate the adequacy of

cybersecurity practices of TPSPs◦ Periodic assessment of TPSPs based on risk they present and the

continued adequacies of their cybersecurity policies

Based upon the overall Risk Assessment, a Covered Entitymust implement written policies and procedures designedto ensure the security of Information Systems andNonpublic Information accessible to, or held by, ThirdParty Service Providers (“TPSPs”)

Policies and procedures should address the following (tothe extent applicable):◦ The identification and risk assessment of TPSPs◦ Minimum cybersecurity practices required to be met by TPSPs in

order for them to do business with the Covered Entity◦ Due diligence processes used to evaluate the adequacy of

cybersecurity practices of TPSPs◦ Periodic assessment of TPSPs based on risk they present and the

continued adequacies of their cybersecurity policies

24

The policies and procedures must outline contractualprotections relating to TPSPs, such as:◦ TPSP’s policies regarding access controls, including its use of

Multi-Factor Authentication◦ TPSP’s use of encryption, both in transit and at rest◦ TPSP’s incident response and notice policies in the event of a

Cybersecurity Event directly impacting the Covered Entity’sInformation Systems or its Nonpublic Information

◦ Reps and warranties addressing the TPSP’s cybersecurity policiesand procedures relating to security controls

TPSP is a person that is (a) not an Affiliate of the CoveredEntity, (b) provides services to the Covered Entity, and (c)maintains processes or otherwise is permitted access toNonpublic Information through its provision of services tothe Covered Entity◦ Examples of TPSPs: law firms, accountants, auditors, consultants,

PR/Media providers, cleaning services

The policies and procedures must outline contractualprotections relating to TPSPs, such as:◦ TPSP’s policies regarding access controls, including its use of

Multi-Factor Authentication◦ TPSP’s use of encryption, both in transit and at rest◦ TPSP’s incident response and notice policies in the event of a

Cybersecurity Event directly impacting the Covered Entity’sInformation Systems or its Nonpublic Information

◦ Reps and warranties addressing the TPSP’s cybersecurity policiesand procedures relating to security controls

TPSP is a person that is (a) not an Affiliate of the CoveredEntity, (b) provides services to the Covered Entity, and (c)maintains processes or otherwise is permitted access toNonpublic Information through its provision of services tothe Covered Entity◦ Examples of TPSPs: law firms, accountants, auditors, consultants,

PR/Media providers, cleaning services

25

Based on its Risk Assessment, each Covered Entitymust use “effective controls”, which MAY includeMulti-Factor Authentication or Risk-BasedAuthentication, to protect against unauthorizedaccess to Nonpublic Information or InformationSystems

Multi-Factor Authentication should be used whenaccessing the Covered Entity’s internal networksfrom an external network, unless the CISOapproves, in writing, the use of a reasonableequivalent or more secure access controls

Based on its Risk Assessment, each Covered Entitymust use “effective controls”, which MAY includeMulti-Factor Authentication or Risk-BasedAuthentication, to protect against unauthorizedaccess to Nonpublic Information or InformationSystems

Multi-Factor Authentication should be used whenaccessing the Covered Entity’s internal networksfrom an external network, unless the CISOapproves, in writing, the use of a reasonableequivalent or more secure access controls

26

As part of its cybersecurity program, a CoveredEntity must:

◦ Provide regular cybersecurity awareness training forall personnel that is updated to reflect risksidentified by the Risk Assessment

◦ Implement risk-based policies, procedures andcontrols designed to monitor the activity ofAuthorized Users and detect the unauthorizedaccess, use or tampering with NonpublicInformation by Authorized Users

As part of its cybersecurity program, a CoveredEntity must:

◦ Provide regular cybersecurity awareness training forall personnel that is updated to reflect risksidentified by the Risk Assessment

◦ Implement risk-based policies, procedures andcontrols designed to monitor the activity ofAuthorized Users and detect the unauthorizedaccess, use or tampering with NonpublicInformation by Authorized Users

27

A Covered Entity, based on its Risk Assessment, mustimplement controls, including encryption, to protectNonpublic Information held or transmitted by theCovered Entity both in transit and at rest

If the Covered Entity determines that encryption ofNonpublic Information, either in transit or at rest, is“infeasible,” the entity may secure NonpublicInformation using “effective alternative compensatingcontrols” reviewed and approved by the CISO

If the Covered Entity chooses to use such alternativecompensating controls in lieu of encryption, thesecontrols must be reviewed by the CISO at leastannually

A Covered Entity, based on its Risk Assessment, mustimplement controls, including encryption, to protectNonpublic Information held or transmitted by theCovered Entity both in transit and at rest

If the Covered Entity determines that encryption ofNonpublic Information, either in transit or at rest, is“infeasible,” the entity may secure NonpublicInformation using “effective alternative compensatingcontrols” reviewed and approved by the CISO

If the Covered Entity chooses to use such alternativecompensating controls in lieu of encryption, thesecontrols must be reviewed by the CISO at leastannually

28

Covered Entities must establish an incidentresponse plan that addresses:

◦ Internal process for responding to a Cybersecurity Event◦ Goals of the plan◦ Definition of clear roles, responsibilities and levels of

decision-making authority◦ External and internal communications and information

sharing◦ Identification of requirements for remediating any identified

weaknesses in Information Systems and controls◦ Documentation and reporting of Cybersecurity Events◦ Evaluation and revision of the incident response plan

following a Cybersecurity Event

Covered Entities must establish an incidentresponse plan that addresses:

◦ Internal process for responding to a Cybersecurity Event◦ Goals of the plan◦ Definition of clear roles, responsibilities and levels of

decision-making authority◦ External and internal communications and information

sharing◦ Identification of requirements for remediating any identified

weaknesses in Information Systems and controls◦ Documentation and reporting of Cybersecurity Events◦ Evaluation and revision of the incident response plan

following a Cybersecurity Event

29

Must notify DFS within 72 hours of determiningthat a Cybersecurity Event has occurred if theevent:

◦ Requires notice to be provided to any othergovernment body, self-regulatory agency or othersupervisory body, or

◦ Has a reasonable likelihood of materially harmingany material part of the entity’s normal operations

Must notify DFS within 72 hours of determiningthat a Cybersecurity Event has occurred if theevent:

◦ Requires notice to be provided to any othergovernment body, self-regulatory agency or othersupervisory body, or

◦ Has a reasonable likelihood of materially harmingany material part of the entity’s normal operations

30

A Covered Entity must submit an annualcertification that the entity is in compliancewith the Cybersecurity Regulation

Certification is required by February 15 andcovers the prior calendar year

First Certification is due February 15, 2018

Specific form of certification is provided

A Covered Entity must submit an annualcertification that the entity is in compliancewith the Cybersecurity Regulation

Certification is required by February 15 andcovers the prior calendar year

First Certification is due February 15, 2018

Specific form of certification is provided

31

Regulation was effective March 1, 2017, butwith delayed compliance requirements

Compliance required by August 28, 2017,except as follows:◦ March 1, 2018: CISO board report, penetration testing and

vulnerability assessments, risk assessment, multifactorauthentication, regular cybersecurity awareness training

◦ September 3, 2018: maintaining an audit trail, applicationsecurity, policies on secure disposal of NonpublicInformation, polices and procedures for monitoring theactivity of authorized users, and encryption.

◦ March 1, 2019: Third party service provider policy

Regulation was effective March 1, 2017, butwith delayed compliance requirements

Compliance required by August 28, 2017,except as follows:◦ March 1, 2018: CISO board report, penetration testing and

vulnerability assessments, risk assessment, multifactorauthentication, regular cybersecurity awareness training

◦ September 3, 2018: maintaining an audit trail, applicationsecurity, policies on secure disposal of NonpublicInformation, polices and procedures for monitoring theactivity of authorized users, and encryption.

◦ March 1, 2019: Third party service provider policy

32

33

Scope of authority and jurisdiction

Terms of any consent order

34

Federal Trade Commission◦ Section 5 (unfair and deceptive practices)◦ Gramm-Leach-Bliley Act Safeguards Rule (financial services)

SEC◦ Reg S-P Safeguarding Rule◦ Reg S-P Disposal Rule◦ Cybersecurity Disclosures Guidance

HHS Office for Civil Rights◦ Health Insurance Portability and Accountability Act (HIPAA)

Law Enforcement◦ DOJ◦ FBI, USSS

Federal Trade Commission◦ Section 5 (unfair and deceptive practices)◦ Gramm-Leach-Bliley Act Safeguards Rule (financial services)

SEC◦ Reg S-P Safeguarding Rule◦ Reg S-P Disposal Rule◦ Cybersecurity Disclosures Guidance

HHS Office for Civil Rights◦ Health Insurance Portability and Accountability Act (HIPAA)

Law Enforcement◦ DOJ◦ FBI, USSS

35

“Since 2001, theCommission has takenaction in approximately60 cases againstbusinesses that itcharged with failing toprovide reasonable andappropriate protectionsfor consumers’personal information.”

“Since 2001, theCommission has takenaction in approximately60 cases againstbusinesses that itcharged with failing toprovide reasonable andappropriate protectionsfor consumers’personal information.”

36

36 million users’ data published◦ One of the largest data breaches

investigated by the FTC

FTC Complaint:◦ No written information security policy◦ No reasonable access controls◦ Inadequate security training of employees◦ No knowledge of whether third-party

service providers were using reasonablesecurity measures

◦ No measures to monitor the effectiveness oftheir system security

◦ Undetected intruder access of networksseveral times between November 2014 andJune 2015

Stipulated Order for PermanentInjunction and Other Equitable Relief◦ Comprehensive information security

program◦ Data security assessments by a third

party (1) the first 180 days after the

issuance date of the Order; and (2)biennial assessments for 20 years

◦ Compliance Report◦ Compliance monitoring◦ Judgment $8,750,000, jointly and

severally, as equitable monetary relief Immediate payment of $1,657,000

for FTC and States 17.5 million payment is suspended

based on an inability to pay Simultaneous judgments

◦ Alaska, Arkansas, Hawaii, Louisiana,Maryland, Mississippi, North Dakota,Nebraska, New York, Oregon, RhodeIsland, Tennessee, Vermont, and DC

36 million users’ data published◦ One of the largest data breaches

investigated by the FTC

FTC Complaint:◦ No written information security policy◦ No reasonable access controls◦ Inadequate security training of employees◦ No knowledge of whether third-party

service providers were using reasonablesecurity measures

◦ No measures to monitor the effectiveness oftheir system security

◦ Undetected intruder access of networksseveral times between November 2014 andJune 2015

Stipulated Order for PermanentInjunction and Other Equitable Relief◦ Comprehensive information security

program◦ Data security assessments by a third

party (1) the first 180 days after the

issuance date of the Order; and (2)biennial assessments for 20 years

◦ Compliance Report◦ Compliance monitoring◦ Judgment $8,750,000, jointly and

severally, as equitable monetary relief Immediate payment of $1,657,000

for FTC and States 17.5 million payment is suspended

based on an inability to pay Simultaneous judgments

◦ Alaska, Arkansas, Hawaii, Louisiana,Maryland, Mississippi, North Dakota,Nebraska, New York, Oregon, RhodeIsland, Tennessee, Vermont, and DC

FTC v. Ruby Corp. et al., No. 1:16-cv-02438 (D.D.C. filed Dec. 14, 2016)

37

ASUS represented that its routersincluded numerous security featuresthat the company claimed could“protect computers from anyunauthorized access, hacking, and virusattacks” and “protect [the] local networkagainst attacks from hackers”

FTC’s complaint alleged:◦ Failure to take reasonable steps to secure the

software on its routers◦ Critical security flaws put the home networks

of hundreds of thousands of consumers atrisk

◦ Insecure “cloud” services led to thecompromise of thousands of consumers’connected storage devices, exposing theirsensitive personal data on the internet.

Agreement Containing ConsentOrder

Comprehensive security programsubject to independent auditsfor the next 20 years

Notify consumers about softwareupdates or other steps they cantake to protect themselves fromsecurity flaws, including throughan option to register for directsecurity notices (e.g., throughemail, text message, or pushnotification)

Prohibits the company frommisleading consumers about thesecurity of the company’sproducts, including whether aproduct is using up-to-datesoftware.

ASUS represented that its routersincluded numerous security featuresthat the company claimed could“protect computers from anyunauthorized access, hacking, and virusattacks” and “protect [the] local networkagainst attacks from hackers”

FTC’s complaint alleged:◦ Failure to take reasonable steps to secure the

software on its routers◦ Critical security flaws put the home networks

of hundreds of thousands of consumers atrisk

◦ Insecure “cloud” services led to thecompromise of thousands of consumers’connected storage devices, exposing theirsensitive personal data on the internet.

Agreement Containing ConsentOrder

Comprehensive security programsubject to independent auditsfor the next 20 years

Notify consumers about softwareupdates or other steps they cantake to protect themselves fromsecurity flaws, including throughan option to register for directsecurity notices (e.g., throughemail, text message, or pushnotification)

Prohibits the company frommisleading consumers about thesecurity of the company’sproducts, including whether aproduct is using up-to-datesoftware.

ASUSTeK Computer Inc., No. C-4587 (July 28, 2016)38

Complaint allegations: Hotels stored payment card information in

clear readable text Use of easily guessed passwords to access the

property management systems Failed to use firewalls to “limit access” Failed to ensure that the hotels implemented

“adequate information security policies andprocedures”

Failed to “adequately restrict” the access ofthird-party vendors to its network and theservers

Failed to employ “reasonable measures todetect and prevent unauthorized access” to itscomputer network or to “conduct securityinvestigations”

Failed to follow “proper incident responseprocedures.

Complaint allegations: Hotels stored payment card information in

clear readable text Use of easily guessed passwords to access the

property management systems Failed to use firewalls to “limit access” Failed to ensure that the hotels implemented

“adequate information security policies andprocedures”

Failed to “adequately restrict” the access ofthird-party vendors to its network and theservers

Failed to employ “reasonable measures todetect and prevent unauthorized access” to itscomputer network or to “conduct securityinvestigations”

Failed to follow “proper incident responseprocedures.

39

Section 5 prohibits“unfair or deceptive actsor practices in oraffecting commerce”

“Unfair cybersecuritypractices”

Open issue before ThirdCircuit: Can overstatingcybersecurity policieslead to deception claim?

Section 5 prohibits“unfair or deceptive actsor practices in oraffecting commerce”

“Unfair cybersecuritypractices”

Open issue before ThirdCircuit: Can overstatingcybersecurity policieslead to deception claim?

40

799 F.3d 236 (3d Cir. 2015)

41

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’sauthority to hold companies accountable for failing tosafeguard consumer data. It is not only appropriate, but critical,that the FTC has the ability to take action on behalf of consumerswhen companies fail to take reasonable steps to securesensitive consumer information.”

Alleging company failed to: Maintain a comprehensive data

security program Identify commonly known or

reasonably foreseeable securityrisks and vulnerabilities

Prevent employees fromaccessing personal informationnot needed to perform theirjobs

Adequately train employees onbasic security practices

Prevent and detectunauthorized access topersonal information

42

Alleging company failed to: Maintain a comprehensive data

security program Identify commonly known or

reasonably foreseeable securityrisks and vulnerabilities

Prevent employees fromaccessing personal informationnot needed to perform theirjobs

Adequately train employees onbasic security practices

Prevent and detectunauthorized access topersonal information

43

Sept. 14, 2015

44

FTC complaint counsel had failed to carry its burden of proving thatLabMD’s alleged failure to employ reasonable data security constitutesan unfair trade practice, because complaint counsel failed to provethat the allegedly unreasonable conduct caused or was likely tocause substantial injury to consumers.

• “[R]everse the ALJ’s decision andconclude that LabMD’s data securitypractices constitute an unfair act orpractice within the meaning of Section 5of the FTC Act.”

• “LabMD’s security practices wereunreasonable, lacking even basicprecautions to protect the sensitiveconsumer information maintained on itscomputer system…. [I]t failed to use anintrusion detection system or file integritymonitoring; neglected to monitor trafficcoming across its firewalls; providedessentially no data security training to itsemployees; and never deleted any of theconsumer data it had collected.”

45

• “[R]everse the ALJ’s decision andconclude that LabMD’s data securitypractices constitute an unfair act orpractice within the meaning of Section 5of the FTC Act.”

• “LabMD’s security practices wereunreasonable, lacking even basicprecautions to protect the sensitiveconsumer information maintained on itscomputer system…. [I]t failed to use anintrusion detection system or file integritymonitoring; neglected to monitor trafficcoming across its firewalls; providedessentially no data security training to itsemployees; and never deleted any of theconsumer data it had collected.”

“First, it is not clear that a reasonableinterpretation of § 45(n) includesintangible harms like those that theFTC found in this case.”

“Second, it is not clear that the FTCreasonably interpreted ‘likely to cause’as that term is used in § 45(n). TheFTC held that ‘likely to cause’ does notmean “probable.” Instead, itinterpreted ‘likely to cause’ to mean‘significant risk,’ explaining that ‘apractice may be unfair if themagnitude of the potential injury islarge, even if likelihood of the injuryoccurring is low.’”

Balance of equities favors granting thestay.

“First, it is not clear that a reasonableinterpretation of § 45(n) includesintangible harms like those that theFTC found in this case.”

“Second, it is not clear that the FTCreasonably interpreted ‘likely to cause’as that term is used in § 45(n). TheFTC held that ‘likely to cause’ does notmean “probable.” Instead, itinterpreted ‘likely to cause’ to mean‘significant risk,’ explaining that ‘apractice may be unfair if themagnitude of the potential injury islarge, even if likelihood of the injuryoccurring is low.’”

Balance of equities favors granting thestay.

46

• “[P]olicies and procedures were notreasonable … for two internal webapplications or “portals” that allowed itsemployees to access customers’confidential account information.”

• “[D]id not have effective authorizationmodules for more than 10 years torestrict employees’ access to customerdata based on each employee’slegitimate business need.”

• “[D]id not audit or test the relevantauthorization modules, nor did itmonitor or analyze employees’ accessto and use of the portals.”

47

• “[P]olicies and procedures were notreasonable … for two internal webapplications or “portals” that allowed itsemployees to access customers’confidential account information.”

• “[D]id not have effective authorizationmodules for more than 10 years torestrict employees’ access to customerdata based on each employee’slegitimate business need.”

• “[D]id not audit or test the relevantauthorization modules, nor did itmonitor or analyze employees’ accessto and use of the portals.”

48

• “St. Louis-based investment adviser has agreed to settle charges that itfailed to establish the required cybersecurity policies and procedures inadvance of a breach that compromised the personally identifiableinformation (PII) of approximately 100,000 individuals, including thousandsof the firm’s clients.”

49https://www.sec.gov/news/pressrelease/2015-191.html

For example: “a business that owns, licenses,or maintains personal information about aCalifornia resident shall implement andmaintain reasonable security procedures andpractices appropriate to the nature of theinformation, to protect the personalinformation from unauthorized access,destruction, use, modification, or disclosure.”

Cal. Civ. Code §1798.81.5(b)

For example: “a business that owns, licenses,or maintains personal information about aCalifornia resident shall implement andmaintain reasonable security procedures andpractices appropriate to the nature of theinformation, to protect the personalinformation from unauthorized access,destruction, use, modification, or disclosure.”

Cal. Civ. Code §1798.81.5(b)

50

The 20 controls in theCenter for Internet Security’sCritical Security Controlsdefine a minimum level ofinformation security that allorganizations that collect ormaintain personalinformation should meet.The failure to implement allthe Controls that apply to anorganization’s environmentconstitutes a lack ofreasonable security.

The 20 controls in theCenter for Internet Security’sCritical Security Controlsdefine a minimum level ofinformation security that allorganizations that collect ormaintain personalinformation should meet.The failure to implement allthe Controls that apply to anorganization’s environmentconstitutes a lack ofreasonable security.

51

52

Advance Notice of ProposedRulemaking (ANPR)

Seeking comments regardingenhanced cyber riskmanagement standards forlarge and interconnectedentities and service providers

Comment period endedFebruary 17, 2017

Next step will be proposedregulations/policystatement/guidance

Advance Notice of ProposedRulemaking (ANPR)

Seeking comments regardingenhanced cyber riskmanagement standards forlarge and interconnectedentities and service providers

Comment period endedFebruary 17, 2017

Next step will be proposedregulations/policystatement/guidance

53

Banks, bank holding companies, and certainnonbank financial companies with totalconsolidated assets of $50 billion or more onan enterprise-wide basis

Certain Financial Market Infrastructures (FMIs)involved with monetary and other financialtransactions

Certain third party service providers to theseentities

Banks, bank holding companies, and certainnonbank financial companies with totalconsolidated assets of $50 billion or more onan enterprise-wide basis

Certain Financial Market Infrastructures (FMIs)involved with monetary and other financialtransactions

Certain third party service providers to theseentities

54

Cyber risk governance

Cyber risk management

Internal dependency management

External dependency management

Incident response, cyber resilience, andsituational awareness

Cyber risk governance

Cyber risk management

Internal dependency management

External dependency management

Incident response, cyber resilience, andsituational awareness

55

4. What are the most effective ways to ensurethat services provided by third party serviceproviders to covered entities are performed insuch a manner as to minimize cyber risk?

◦ What are the advantages and disadvantages ofapplying the standards to services by requiringcovered entities to maintain appropriate serviceagreements or otherwise receive services only fromthird-party service providers that meet thestandards with regard to the services provided,rather than applying the requirements directly tothird-party service providers?

4. What are the most effective ways to ensurethat services provided by third party serviceproviders to covered entities are performed insuch a manner as to minimize cyber risk?

◦ What are the advantages and disadvantages ofapplying the standards to services by requiringcovered entities to maintain appropriate serviceagreements or otherwise receive services only fromthird-party service providers that meet thestandards with regard to the services provided,rather than applying the requirements directly tothird-party service providers?

56

13. How would a covered entity determinethat it is managing cyber risk consistent withits stated risk appetite and tolerances? Whatother implementation challenges doesmanaging cyber risk consistent with acovered entity’s risk appetite and tolerancespresent?

13. How would a covered entity determinethat it is managing cyber risk consistent withits stated risk appetite and tolerances? Whatother implementation challenges doesmanaging cyber risk consistent with acovered entity’s risk appetite and tolerancespresent?

57

15. The agencies seek comment on theappropriateness of requiring covered entitiesto regularly report data on identified cyberrisks and vulnerabilities directly to the CEOand board of directors and, if warranted, thefrequency with which such reports should bemade to various levels of management.

◦ What policies do covered entities currently follow inreporting material cyber risks and vulnerabilities tothe CEO and board of directors?

15. The agencies seek comment on theappropriateness of requiring covered entitiesto regularly report data on identified cyberrisks and vulnerabilities directly to the CEOand board of directors and, if warranted, thefrequency with which such reports should bemade to various levels of management.

◦ What policies do covered entities currently follow inreporting material cyber risks and vulnerabilities tothe CEO and board of directors?

58

25. How do covered entities currentlyevaluate their incident response and cyberresilience capabilities?

◦ What factors should the agencies consider essentialin considering a covered entity’s incident responseand cyber response capabilities?

25. How do covered entities currentlyevaluate their incident response and cyberresilience capabilities?

◦ What factors should the agencies consider essentialin considering a covered entity’s incident responseand cyber response capabilities?

59

34. What current tools and practices, if any,do covered entities use to assess the cyberrisks that their activities, systems andoperations pose to other entities within thefinancial sector, and to assess the cyber risksthat other entities’ activities, systems andoperations pose to them?

◦ How is such risk currently identified, measured, andmonitored?

34. What current tools and practices, if any,do covered entities use to assess the cyberrisks that their activities, systems andoperations pose to other entities within thefinancial sector, and to assess the cyber risksthat other entities’ activities, systems andoperations pose to them?

◦ How is such risk currently identified, measured, andmonitored?

60

Joseph D. SimonPartnerCullen and Dykman LLP100 Quentin Roosevelt BoulevardGarden City, New York 11530jsimon@cullenanddykman.comT: 516.357.3710

NEW YORKManhattan

Garden CityAlbany

NEW JERSEYHACKENSACK

NEWARKPRINCETON

WASHINGTON D.C.

61

Mark L. KrotoskiSilicon Valley, Californiatel. +1.650.843.7212fax. +1.650.843.4001

Mark.krotoski@morganlewis.com

© 2

017

Mor

gan,

Lew

is &

Boc

kius

LLP

Mark L. KrotoskiSilicon Valley, Californiatel. +1.650.843.7212fax. +1.650.843.4001

Mark.krotoski@morganlewis.com

6262

63