Corporate boards are facing mounting pressure concerning their oversight of data security and privacy risks. Regulatory guidance, emerging regulatory requirements, fines, and lawsuits combined with technological advances and changing business processes are shaping a new and evolving standard of care with exponentially increasing exposures for today’s directors and their organizations. Boards now find themselves front and center when it comes to dealing with these difficult issues, which dramatically increases their need for effective reporting from management and other subject matter experts.
As explained in this post from Wilson Elser and DAC Beachcroft, the NY DFS cyber security regulation explicitly places cyber responsibility on corporate boards. Smart companies are re-examining their D&O and cyber insurance policies in light of this new exposure.
For the past decade, the duty of corporate directors to oversee corporate risk has become more and more pronounced. Over the past several years, however, cyber and data handling risks have emerged as perhaps the most challenging of the areas requiring board oversight.
New York State’s powerful financial regulator, the Department of Financial Services (DFS), has recently grabbed the cybersecurity spotlight by issuing a first-in-the-nation cybersecurity regulation, which went into effect on 1 March 2017.
The regulation is a game changer for directors with responsibility over any financial institutions (including banks, trusts and insurance companies, referred to here as covered entities) that are required to operate under a licence, registration, or similar authorisation under New York’s Banking Law, Insurance Law or Financial Services Law. Although the regulation does not directly apply to national banks and federal branches of foreign banks, it does apply for example to New York-licensed lenders and branches of foreign banks. Because it applies regardless of where the institution is domiciled, the regulation’s impact is being felt around the world. It is groundbreaking in several respects.
First, it is a mandatory regulation, as opposed to ‘guidance’, that requires covered entities to establish a cybersecurity programme designed to protect the confidentiality, integrity and availability of the institution’s information systems and nonpublic information. Although the DFS does not spell out specific fines or penalties associated with violations, the regulation provides that it will be enforced pursuant to DFS authority ‘under any applicable laws’.