Webinar: Global reaching Cybersecurity Regulations in New York, will they impact your company?

Now that the WannaCry ransomware has your attention and the attention of everybody else, it is time to start thinking about your company’s cybersecurity legal and compliance obligations.

Do you know whether your company will be impacted by New York’s expansive and global reaching Cybersecurity Regulations? The new Regulations govern many companies that do business in New York as well as other companies they do business with, even if they are not located in or doing business in New York.

The Regulations became effective in March and enforcement begins on August 28, 2017. For companies directly regulated (Covered Entities), the Cybersecurity Regulations provide an outline of essential standards, dictate who should lead the process,andmandate top down buy-in by management and the Board of Directors through these mechanisms:

  • Each Covered Entity must assess its unique risk profile and design a cybersecurity risk management program that addresses its risks in a robust fashion.
  • Each Covered Entity must designate a qualified individual to serve as its Chief Information Security Officer responsible for overseeing and implementing its cybersecurity program that must include things such as cybersecurity-focused policies and procedures and workforce training, penetration testing, third party service provider policies and procedures, development of an incident response plan, and stringent reporting obligations.
  • Each Covered Entity’s senior management must be responsible for its cybersecurity program and file an annual certification confirming compliance with the Cybersecurity Regulations that is attested to by either a Senior Officer or the Chairman of the Board of Directors.

I am inviting you to a COMPLIMENTARY WEBINAR I will be hosting to explain which companies will be impacted and the details about this new law.

Date: Tuesday, May 23, 2017
Time: 10:00 CST
Can’t attend at that time? No problem, register to view it online at your convenience.

REGISTER HERE!

The webinar is being brought to you courtesy of Boldon James, Cyber Future Foundation, and Scheef & Stone. I look forward to your joining us for this webinar and welcome any questions you may have.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 More Key Cybersecurity Takeaways General Counsel Should Learn Learn from Yahoo

The lessons that general counsel can learn from the Yahoo data breach just keep coming. A month ago I published 5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal and recently I read Yahoo’s Warning to GCs: Your Job Description Just Expanded (Big-Time), which I found to be excellent.

Here are 3 key cybersecurity takeaways that general counsel should learn that are described more in that article. The explanation in the article is very good and the author provides actionable recommendations — I encourage you to read the entire article:

  1. The general counsel has emerged as the most logical and effective quarterback of data breach response.
  2. Yahoo’s actions not only signal the evolution of a new standard of care for general counsel when it comes to cybersecurity but also signal a vast expansion of general counsel oversight. 
  3. Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal

A good friend recently shared with me the article Verizon GC on the Lessons Learned from Deal with Yahoo (use Linkedin for paywall access) because he thought it would be valuable information to add to my own cybersecurity knowledge toolbox. Given the experience Verizon’s GC has gained through this process, when he talks about lessons learned, we should all pay attention.

Here are the 5 key takeaways to keep in mind for mergers and acquisitions such as this one:

  1. Have a strategy on how to handle the news of data breaches.
  2. Analyze how a data breach impacts the original goals of the deal and how it will impact investors.
  3. Be very disciplined in messaging, ensuring that all public statements, to all audiences, are a variation of the same core messages.
  4. Know what the parties’ agreement says about data breaches which, necessarily, requires that the agreement address the issue of data breaches.
  5. While due diligence around data breaches may be important, it is more important to have reps and warranties around data breaches because it is unreasonable to expect due diligence to find what the company itself hasn’t found.

Yahoo security lapses laid bare even as Russia blamed for hack

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Critical Steps Companies Must Take to Comply with New York’s Cybersecurity Rules – Ethical Boardroom

Winter2017New York’s Cybersecurity Regulations went into effect on March 1, 2017 and their impact could reach farther than you think — including to small and mid-sized companies that do not do business in New York and are not in the financial services industries. And, they require direct involvement by the Board of Directors. Is your company ready?

In my latest Ethical Boardroom article, I explain

  1. how these Cybersecurity Regulations can impact businesses of all sizes, in all industries, and all around the world,
  2. what specific steps regulated companies must take to be in compliance with the Cybersecurity Regulations, and
  3. what these Cybersecurity Regulations mean for nearly all companies.

Here is the full article from the Winter 2017 edition (page 140) which is available with free registration to the Ethical Boardroom website: Getting to Grips with New York’s Cybersecurity Compliance Rules

Here are other Ethical Boardroom (@EthicalBoard) articles that I have written that are also available for free:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

New York Cybersecurity Regulations Delayed, Being Revised

New York Skyline at Twilight Hour
The New York Skyline at Twilight Hour

Photo Credit: Photo Credit: Marco Verch
Licensed under Creative Commons Attribution 2.0 (no changes were made to the image) https://creativecommons.org/licenses/by/2.0/deed.en

The New York Department of Financial Services has pushed back the effective date of its Cybersecurity Regulations from January 1, 2017 to March 1, 2017. This is to give the NYDFS time to significantly revise the proposed Cybersecurity Regulations initially released for comment in September 2016, which created quite a bit of controversy. The revised regulations are to be published on December 28, 2016.

The NYDFS signaled this change two days after a hearing in Albany, New York in which New York bankers voiced their concerns to New York State lawmakers. While the NYDFS has not elaborated on what is being re-written, the following are some of the key concerns that were voiced to lawmakers in the hearing:

  1. It would cost too much.
  2. Banks shouldn’t be forced to hire CISOs.
  3. The rules are too tough.
  4. New York’s regulation is too different from the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST.
  5. The regulation is “one size fits all.”
  6. It calls for too much incident reporting.
  7. The extra regulation and reporting could create an impression that New York banks are less secure than others.

These points are explained more thoroughly in the American Banker source article New York Rewriting Cybersecurity Rules After Banker Pushback.

Here are two articles I have written for SecureWorld that discuss the proposed NYDFS Cybersecurity Regulations and I will also address the revisions in the near future:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.