Attorney Brenda Sharton is an old hand at helping companies navigate data breaches. In a typical week, she would work on recovery efforts from two or three cyberattacks—a steady but manageable pace.

Then came the novel coronavirus pandemic, and the volume of attacks skyrocketed.

“Over the course of a long weekend we had nine of them,” she says of one period late last winter.

Hackers thrive on crisis and disruption, says Sharton, litigation partner and global co-chair of the privacy and cybersecurity practice at the law firm Dechert. As businesses follow tentative return-to-office plans even as the Delta variant surges, she worries about another burst of cyberattacks, which this time could include even more financial advisory practices.

Hackers eye all sorts of businesses, but wealth management companies make particularly alluring targets, thanks to their proximity to vast sums of money and the detailed Information they hold on wealthy clients.

“The two holy grails for these people are money movement and data access,” Wealthcare President Matt Regan says of today’s breed of cybercriminals. “Bank robbers rob banks because that’s where the money is, and this is where the money is.”

Read More

The US financial market regulator, the Securities and Exchange Commission (SEC), has imposed sanctions on eight broker-dealer and financial advisory companies for lapses in their cybersecurity policies and measures. Three firms are facing a combined monetary penalty of $750,000.

Read More

It has been a busy summer for data breach and cybersecurity laws. Several states have shortened their data breach notification timelines, expanded their definitions of personal data breaches triggering notification requirements, or added provisions related to companies' cybersecurity programs.

We summarize the notable changes below. Clients are advised to carefully review these changes and assess whether their existing information security policies and procedures should be updated.

Read More

In 2021, the New York Department of Financial Services (NYDFS) is cracking down on companies that fail to comply with the Cybersecurity Regulations set forth in 23 NYCRR Part 500 by imposing millions of dollars in civil penalties. On June 8, 2021, NYDFS issued a series of frequently asked questions (FAQs) to provide guidance with respect to the Cybersecurity Regulations, which impose stringent requirements designed to protect information systems and nonpublic information stored on those systems. On June 30, 2021, NYDFS issued Ransomware Guidance on steps companies should take to prevent or mitigate the risk of a ransomware attack. In addition, NYDFS has encouraged cyber insurers to adopt a Cyber Insurance Risk Framework to measure and manage cyber risk and exposure due to the unprecedented rise and growing losses associated with cyber threats and systemic risk.

Read More

When a business suffers a cyber incident, a myriad of legal and regulatory implications follow. To handle such an incident effectively — and legally — it’s crucial to:

• Understand the specific cybersecurity regulations applicable to your company and industry.

• Determine what your company needs to do to achieve compliance.

• Make sure you don’t break the law in how you respond should an incident occur.

The current cyber threat landscape is incredibly active — given the rush to remote work as a result of the pandemic, a significant increase in security incidents has occurred. Meanwhile, hackers — both individuals and nation-states — recognize this and continue to exploit weaknesses in cybersecurity systems and practices.

Read More

On June 15, the Securities and Exchange Commission announced a settlement with First American Financial Corporation for what the SEC found were inadequate disclosure controls and procedural violations, revealed in connection with a cyber incident last spring.

Read More

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.

"An Act Concerning Data Privacy Breaches" Amends Connecticut's Existing Data Breach Law

Read More

HB 6607 became law without the Governor’s signature, and will incentivize the adoption of cybersecurity standards for businesses. The new law will allow businesses that adopt certain cybersecurity practices to escape punitive damages in any cause of action that alleges that a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information” if the action is brought under the laws of the State of Connecticut or in the courts of the State of Connecticut.

Read More

In April, the North American Securities Administrators Association (NASAA) published its Investment Adviser Section Annual Report, highlighting its 2020 activities concerning state-registered advisers. In sum, the report paints a statistical picture of the average state-registered adviser in 2020, reports on a sampling of state approaches to managing through the COVID-19 pandemic, and addresses two major NASAA initiatives – the Investment Adviser Policies and Procedures Model Rule and the Investment Adviser Representative Continuing Education Model Rule.

Read More

The SEC’s Division of Examinations’ (EXAMS) has made it a priority in 2021 to review the steps that firms take to ensure information security and operational resiliency.

In its report, EXAMS noted that it will scrutinize whether advisers have implemented appropriate measures to oversee vendors and service providers and manage the cybersecurity and privacy risks inherent in those relationships. So what does the agency expect to see from you?

Read More