VLP Partner Melissa Krasnow Quoted in Bloomberg Law Article “New York Proposes Bigger Cyber Role for Bank, Insurer Boards”
VLP Partner Melissa Krasnow was quoted in the Bloomberg Law Article “New York Proposes Bigger Cyber Role for Bank, Insurer Boards.”
The article discusses proposed updates from New York State’s Department of Financial Services to New York’s first-of-their-kind cybersecurity rules for financial institutions, which went into effect in 2017. Companies that run afoul of the rules risk NYDFS fines.
These updates include requiring board approval of cyber policies at banks, insurers, and other financial institutions meeting a certain size threshold laid out by the regulator. Companies also would have to disclose whether their directors have expertise to oversee security risks or they rely on outside cyber consultants.
According to Ms. Krasnow: “One question for companies seeking to comply with the proposed rules is how to define cyber expertise at the board level… [h]ow do you demonstrate that?” She suggested that companies subject to the New York rules may press for more detail on what counts as cyber expertise during the feedback period.
Under the updates, cybersecurity executives would need to give directors timely alerts of significant cyber issues or events. They would also be required to report to the board each year on cyber risks and defenses as well as on plans for filling in security gaps.
Financial institutions would have 72 hours to tell the regulator about any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the company’s information system.
The proposal would direct regulated financial institutions to alert the state regulator within 24 hours of making a ransom payment to a hacker.
In the proposal, financial institutions also would need to explain why a ransom payment was necessary, which alternatives were considered, and how federal sanctions implications were assessed.
Click here to read the entire article.Share