Category Archives: Ransomware

NYDFS Proposes Updated Second Amendment to Its Cybersecurity Regulation

by Lisa Sotto and Michael La Marca 

Photos of the authors

Lisa Sotto and Michael La Marca (Photos courtesy of Hunton Andrews Kurth)

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published  an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.

Continue reading

The New York Attorney General Issues Guidance on Data Security Best Practices

by Avi Gesser, Erez Liebermann, Stephanie D. Thomas, and Basil Fawaz

Photos of the authors

Avi Gesser, Erez Liebermann, Stephanie D. Thomas, and Basil Fawaz. (Photos courtesy of Debevoise & Plimpton LLP)

On April 19, 2023, the New York Attorney General (the “NYAG”) published new guidance (the “Guide”) recommending security measures for companies entrusted with consumers’ personal information. The Guide supplements the reasonable safeguards already outlined in the New York Shield Act, which, in part, requires covered entities to maintain reasonable security measures when handling personal information related to New York residents. The Guide reinforces practices that regulators have focused on, such as authentication, encryption, third-party risk management, and data governance. While the Guide’s recommendations are only advisory, it details the NYAG’s Shield Act enforcement actions on the issues, and the Guide is meant to put companies “on notice that they must take their data security obligations seriously.” Following its issuance, the NYAG announced additional Shield Act enforcement actions, including with Practicefirst Medical Management Solutions, that highlighted many of the security concerns highlighted in the Guide.

Continue reading

Federal Agencies Publish New Version of the #StopRansomware Guide

by Benjamin A. Powell, Matthew F. FerraroShannon Togawa Mercer, and Ariel Dobkin

Photos of the authors

From left to right: Benjamin A. Powell, Matthew F. Ferraro, Shannon Togawa Mercer, and Ariel Dobkin (photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

On May 23, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a second edition of the #StopRansomware Guide (the Guide). The Guide, first published in September 2020, aims to help organizations reduce the risk of ransomware attacks, and it provides best practices to prevent, detect, respond to, and recover from such incidents. The 2023 version contains updated guidance and best practices in the areas of initial infection vectors, cloud backups, zero trust architecture and ransomware response.

Continue reading

National Cybersecurity Strategy 2023: Highlights from the U.S.’ Ambitious and Inclusive New Plan

by Ekene Chuks-Okeke

Photo of the author

Ekene Chuks-Okeke (photo courtesy of the author)

On March 2, 2023,[i] the White House Office of the National Cyber Director (“ONCD”) published the new U.S. National Cybersecurity Strategy (the “Strategy”).[ii] This article highlights key provisions of the Strategy that are relevant to cybersecurity compliance for businesses, internet infrastructure providers and government contractors, as well as a general overview of the United States’ ambitious, collaborative vision for cybersecurity.

Background

The Strategy is released further to President Biden’s Executive Order on Improving the Nation’s Cybersecurity (May 2021, E.O. 14028)[iii] and significant budgetary commitment by Congress in the Bipartisan Infrastructure Deal[iv] to expand Americans’ access to reliable high-speed internet and incentivize domestic innovation and manufacturing in the CHIPS and Science Act, 2022.[v]

Continue reading

NYDFS Publishes Official Amendments to Its Cybersecurity Regulation

by , and

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). This announcement follows a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. In this blog post, we discuss our initial observations on significant changes between the new release and the pre-proposal.

Highlights of what we learned from the revisions:

  1. NYDFS took the time to ingest comments and clarify interpretations, so the next round of comments is very important.
  2. The Revised Proposal softens the definition of Class A companies.
  3. The Revised Proposal softens the prescriptive requirements around key controls, bringing back some of the risk-based elements of the existing Part 500.
  4. NYDFS understands that the implementation periods for some technical elements were too aggressive and has softened those requirements.

Continue reading

Why Your Business Needs a Ransomware Payment Policy

by Julie DiMauro

When I was working with my friend and digital forensics expert, Professor Darren Hayes, on preparing an instructor-led, virtual ransomware training course several months ago, I noticed that the threat landscape and number of such attacks wasn’t just changing and increasing,[1] but that the discussion about whether paying a ransom after such an attack was legal or not was evolving.

The answer of whether you can pay or ransom or not depends on an emerging body of law and guidance. Let’s take a quick peek and see what is going on here. 

Continue reading