Tag Archives: Johanna Skrzypczyk

Managing Cybersecurity Risks Arising from AI — New Guidance from the NYDFS

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu.

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, and Erez Liebermann. 
Bottom left to right: Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 (i.e., entities with a license under the New York Banking Law, Insurance Law or Financial Services Law), but it provides valuable direction to all companies for managing the new cybersecurity risks associated with AI.

The NYDFS makes clear that the Guidance does not impose any new requirements beyond those already contained in the Cybersecurity Regulation. Instead, the Guidance is meant to explain how covered entities should use the Part 500 framework to address cybersecurity risks associated with AI and build controls to mitigate such risks. It also encourages companies to explore the potential cybersecurity benefits from integrating AI into cybersecurity tools (e.g., reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats). Entities that are covered by Part 500, especially those that have deployed AI in significant ways, should review the Guidance carefully, along with their current cybersecurity policies and controls, to see if any enhancements are appropriate.

Continue reading

Treasury’s Report on AI (Part 1) – Governance and Risk Management

by Charu A. Chandrasekhar, Avi Gesser, Erez Liebermann, Matt Kelly, Johanna Skrzypczyk, Michelle Huang, Sharon Shaji, and Annabella M. Waszkiewicz

Photos of the authors

Top: Charu A. Chandrasekhar, Avi Gesser, Erez Liebermann, and Matt Kelly
Bottom: Johanna Skrzypczyk, Michelle Huang, Sharon Shaji, and Annabella M. Waszkiewicz
(Photos courtesy of Debevoise & Plimpton LLP)

On March 27, 2024, the U.S. Department of Treasury (“Treasury”) released a report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”). The Report was released in response to President Biden’s Executive Order (“EO”) 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which spearheaded a government-wide effort to issue Artificial Intelligence (“AI”) risk management guidelines consistent with the White House’s AI principles. Continue reading

The NYDFS Plans to Impose Significant Obligations on Insurers Using AI or External Data

by Eric DinalloAvi GesserErez LiebermannMarshal BozzoMatt KellyJohanna SkrzypczykCorey GoldsteinSamuel J. AllamanMichelle Huang, and Sharon Shaji

Photos of the authors

Top (from left to right): Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Matt Kelly
Bottom (from left to right): Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji (Photos courtesy of Debevoise & Plimpton LLP)

On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the final adoption of Colorado’s AI Governance and Risk Management Framework Regulation (“CO Governance Regulation”) and the proposed Colorado AI Quantitative Testing Regulation (the “CO Proposed Testing Regulation”), discussed here, and the National Association of Insurance Commissioners’ (“NAIC”) model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “NAIC Model Bulletin”), discussed here. In the same way that NYDFS’s Part 500 Cybersecurity Regulation influenced standards for cybersecurity beyond New York State and beyond the financial sector, it is possible that the Proposed Circular will have a significant impact on the AI regulatory landscape.

The PCL builds on the NYDFS’s 2019 Insurance Circular Letter No. 1 (the “2019 Letter”) and includes some clarifying points on the 2019 Letter’s disclosure and transparency obligations. The 2019 Letter was limited to the use of external consumer data and information sources (“ECDIS”) for underwriting life insurance and focused on risks of unlawful discrimination that could result from the use of ECDIS and the need for consumer transparency. The Proposed Circular incorporates the general obligations from the 2019 Letter, adding more detailed requirements, expands the scope beyond life insurance, and adds significant governance and documentation requirements.

Continue reading

Cybersecurity Experts React to NYDFS’s Amendments to its Cybersecurity Rules

Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.

Photos of the authors

Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)

Continue reading

The Arrival of 2023 U.S. State Privacy Laws – Part 2: Colorado Update

by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Alessandra G. Masciandaro, and Ned Terrace

The figure provides photos of the authors

From left to right: Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act.

This post addresses the timeline for COAG rulemaking and the current proposed rules relating to (1) new responsibilities for controllers related to consumer rights, (2) privacy notices, (3) universal opt-out mechanisms, (4) consent for processing sensitive data, (5) biometric data, (6) data minimization, (7) data protection assessments, and (8) profiling. Companies subject to ColoPA should review their practices to ensure compliance before ColoPA’s July 1, 2023 effective date.

Continue reading

NYDFS Publishes Official Amendments to Its Cybersecurity Regulation

by , and

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). This announcement follows a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. In this blog post, we discuss our initial observations on significant changes between the new release and the pre-proposal.

Highlights of what we learned from the revisions:

  1. NYDFS took the time to ingest comments and clarify interpretations, so the next round of comments is very important.
  2. The Revised Proposal softens the definition of Class A companies.
  3. The Revised Proposal softens the prescriptive requirements around key controls, bringing back some of the risk-based elements of the existing Part 500.
  4. NYDFS understands that the implementation periods for some technical elements were too aggressive and has softened those requirements.

Continue reading

Data Minimization – Recent Enforcement Actions Show Why Some Companies Need to Get Rid of Old Electronic Records

by Avi Gesser, Johanna Skrzypczyk, and Michael R. Roberts

Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they collect and maintain. In this post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations.

Continue reading

Utah Joins the Comprehensive State Privacy Law Club

by Avi GesserJohanna N. Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On March 24, 2022, Utah enacted a comprehensive consumer privacy law, the Utah Consumer Privacy Act (“UCPA”). The UCPA, effective on December 31, 2023, is largely consistent with other comprehensive state privacy laws, but includes several key differences. The UCPA is set to be reviewed by the attorney general who must submit a report to the legislature by July 1, 2025.

In prior posts, we have written about the evolving state privacy law landscape, including how to prepare for state privacy laws coming into effect in 2023 here; various aspects of the CCPA and CPRA, including here and here; and the Virginia Consumer Data Protection Act (“VCDPA”) here. For purposes of this post, we refer collectively to the CCPA/CPRA, VCDPA, and ColoPA as the “State Privacy Laws.”

Continue reading

Data Minimization – Recent Enforcement Actions Show Why Some Companies Need to Get Rid of Old Electronic Records

by Avi GesserJohanna Skrzypczyk, and Michael R. Roberts

Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they collect and maintain. In this post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations.

Continue reading

Time to Update Cyber Incident Response Plans, Especially for Banks Subject to the New 36-Hour Breach Notification Rule

by Luke Dembosky, Avi GesserJohanna SkrzypczykMichael R. RobertsAndy Gutierrezand Michelle Huang

As cyberattacks continue to plague U.S. companies, cybersecurity remains a core risk, even for businesses that have invested heavily in technical measures to protect their systems.  As a result, cybersecurity best practices have evolved to include not only preventative measures, but also robust preparations for responding to cyber incidents, so that companies can improve their resilience, decrease the time it takes to detect and effectively respond to an attack, and reduce the overall damage.  Because nearly every company will at some point face a successful attack, regulators, insurers, auditors, and investors view an incident response plan (“IRP”) as a key element of a reasonable cybersecurity program.

Part of the value of an IRP comes from the process of drafting it, which involves making decisions about how an incident will be handled (e.g., who should be drafting communications to impacted employees, who has the authority to shut down parts of the network, which incidents will be escalated to senior management, etc.).  Determining these issues over the course of several weeks while drafting the IRP and consulting with the relevant individuals is much better than working through them for the first time under the stress and time constraints of an actual incident.  Well-drafted IRPs also provide checklists of things to do when an incident occurs (e.g., preserve evidence, contact the FBI, notify the insurer, draft a public statement, determine a point-of-contact for external inquiries, etc.).

Continue reading