Policy Patty Newsletter - November 2023

November 30, 2023

Here is a compilation of critical headlines I covered in November 2023.? Click on the headline to access the full article/blog.?

This newsletter does not include all relevant developments that may impact your organization's governance, risk, and compliance controls.? It is provided for informational purposes only and does not offer legal, accounting, or tax advice.

?

??POLICY PATTY POSTS

• New York Approves Amendments to its Landmark Cybersecurity Regs – see summary below in Special News.
• NYCBA Posting of Article, ?“SEC Enforcement Chief Remarks at the NYCBA Compliance Institute ” – coverage of the top SEC enforcement cop, Gurbir Grewal's?speech at the New York City Bar Association Compliance Institute.
• SEC Charges Royal Bank of Canada with Internal Accounting Controls Violations – the SEC charged Canada’s largest bank, Royal Bank of Canada (RBC), with violating the books and records and internal accounting controls provisions of the securities laws relating to its accounting for its costs of internally developed software. RBC must pay a $6 million penalty to settle the charges.
• DOJ Announces New Civil Cyber-Fraud Initiative – last month, there was a notice on the recently unsealed case against Penn State confirming the?government's growing use of the False Claims Act in cybersecurity enforcement. The federal government, for now, has declined to intervene and was given a month by the court to decide if it should take over the whistleblower's (relator)?complaint.
• FinCEN Finalizes Rule for Use of FinCEN Identifiers in Beneficial Ownership Information Reporting – FinCEN issued a final rule specifying the circumstances in which a reporting company may report an entity’s FinCEN identifier instead of information about individual beneficial owners.?
• The OIG Issues a Comprehensive Guide on Compliance Programs – the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) published the General Compliance Program Guidance (GCPG) for the healthcare compliance community on November 6, 2023.?
• FinCEN Updates Beneficial Ownership Information FAQs – FinCEN updated its Beneficial Ownership Information FAQs to include new questions about the reporting process, reporting companies, beneficial owners, company applicants, reporting requirements, initial reports, and reporting company exemptions.
• FBI & CISA Share Tactics Used by Scattered Spider Hacker – the FBI and CISA issued a joint Cybersecurity Advisory (CSA) on Scattered Spider threat actors targeting commercial facilities sectors and subsectors.
• FINRA Notifies Members of Joint CISA & FBI Cybersecurity Advisory – FINRA issued a follow-up advisory to member firms to help enhance end-user awareness, including communicating with employees about the threat, explaining the importance of employee vigilance, and ensuring employees understand the risks of non-compliance.?
• SEC Announces Enforcement Results for Fiscal Year 2023 – The SEC?published ?the Division of Enforcement's results for fiscal year 2022, which ended on September 30.?
• CFTC Takes Action Against Binance's Former CCO – the problems for Binance and its executives continue with the?latest action from the CFTC ?before the Thanksgiving break against Samuel Lim, the former Binance Chief Compliance Officer.
• Effective November 30, 2023, FINRA will discontinue its collection of data under Rule 4540.
• Update to my post: FinCEN Extends Deadline for Certain Reporting Companies - FinCEN?is extending the deadline for certain reporting companies to file their initial?#beneficialownership ?information (BOI) reports. Specifically, reporting companies created or registered in 2024 will have 90 calendar days from receiving actual or public notice of their creation or registration becoming effective to file their initial reports.?
• CFPB Fines BoA for False Mortgage Data

??REPORTS AND OTHER INFORMATION

I've included below a summary of reports and other developments that, while I did not cover in November, may be relevant to your operations.

• Reg Alerts 2023 - FS ( kpmgus.com )
• WilmerHale | Read the Latest WilmerHale Privacy and Cybersecurity Law Blog Posts ( wilmerhalecommunications.com )
• NIST Seeks Collaborators for Consortium Supporting Artificial Intelligence Safety – NIST calls for participants in?a new consortium?supporting the development of innovative methods for evaluating artificial intelligence (AI) systems to improve the rapidly growing technology’s safety and trustworthiness. This consortium is a core element of the new NIST-led U.S. AI Safety Institute announced yesterday at the U.K.’s AI Safety Summit 2023, in which U.S. Secretary of Commerce Gina Raimondo participated. ?
• Biden Administration Issues Sweeping Executive Order Directing Federal Agencies to Examine and Address Risks of Artificial Intelligence | Compliance and Enforcement ( nyu.edu )
• ANALYSIS: Bloomberg Law 2024—The Legal Industry Looks Ahead
• Reg Alerts 2023 - FS ( kpmgus.com )
• This Week in Data Privacy | LinkedIn
• FINRA published a study on "Quantum Computing and the Implications for the Securities Industry – the study finds that in recent years, several major financial institutions have identified quantum computing as a technology with the potential to dramatically disrupt the securities industry over the next decade and beyond. ?The study reports results following research conducted by staff from FINRA’s Office of Financial Innovation (OFI) focusing on the opportunities and risks presented by quantum computing. ?The study also includes a request for comments. ?
• DOJ Publishes New Opinion Procedure Release on Stipends for Foreign Officials | The FCPA Blog
• New resources to help protect consumers and small businesses from fraud | Federal Trade Commission ( ftc.gov )
• Posts from Data Protection Report ( Norton Rose Fulbright Data Protection Report ) – recent insights focusing on Advances in artificial intelligence legislation in Canada (Part I) .
• Privacy and Cybersecurity Law | Read the Latest WilmerHale Privacy and Cybersecurity Law Blog Posts ( wilmerhalecommunications.com )
• FinCEN Announces Largest Settlement in U.S. Treasury Department History with Virtual Asset Exchange Binance for Violations of U.S. Anti-Money Laundering Laws
• A JLL survey reveals employer and employee feelings towards the hybrid word environment. Read more and download the survey at https://www.us.jll.com/en/trends-and-insights/research/is-hybrid-really-working .?
• Norton Rose Fulbright Data Protection Report – recent insights on Artificial Intelligence (Regulation) Bill: UK Private Members’ Bill underscores widespread regulatory concerns .
• Acting Assistant Attorney General Nicole M. Argentieri Delivers a Keynote Address at the 40th International Conference on the Foreign Corrupt Practices Act – the speech was made at an event that brings together the foremost experts on the Foreign Corrupt Practices Act (FCPA).?Argentieri addressed four things: 1) achievements this year in the fight against corruption and white-collar crime; 2) actioning the recent corporate enforcement policies announced by the department — policies that built upon longstanding Criminal Division policies and practices in a space where the Criminal Division has long been a leader; 3) use of data analytics, and expanding the use of data to enhance FCPA enforcement efforts; and 4) an exciting new resource dedicated to deepening international partnerships in key parts of the world that will enhance the ability to identify and prosecute foreign bribery offenses and allow us to generate new and impactful cases.
• November Newsletter: The Latest in Data Privacy ( onetrust.com ) – the most recent compilation from OneTrust of their latest resources, upcoming events, and expert insights to help ensure your business is updated on privacy.?
• Norton Rose Fulbright Data Protection Report – recent insights focusing on California’s proposed rules for automated decision-making.
• CC360 Newsletter: Unpacking the Biden Executive Order on AI

??Special News:

NYDFS Part 500 approval

On November 1, 2023, the New York Department of Financial Services (NYDFS or DFS) released the?finalized amendments ?to its?landmark cyber regulation - 23NYCRR Part 500 (Part 500) , first enacted in 2017. The changes represent efforts that began in July 2022 and, following?extensive comments , were finalized on November 1, 2023.?

?

Highlights of the changes:

• Class A Companies (500.1(d)) - creates a new category of companies called "Class A Companies" for which there are specific additional requirements.?
• Audits (500.2(c)) - requires independent audits of the covered entity's cybersecurity program based on its risk assessment.
• Access monitoring (500.7(c)). Requires monitoring of privileged access activity and implementation of: (1) a privileged access management solution; and (2) an automated method of blocking commonly used passwords (CISO-approved compensating controls are permitted so long as they are in writing and approved annually).

• Endpoint security (500.14(b)) -??Requires this unless the CISO approves reasonably equivalent or more secure compensating controls in writing.

• Cybersecurity policy (500.3) - requires annual approval of the cybersecurity program policy by a senior officer or the covered entity's senior governing body and adds additional areas to cover.
• CISO (500.4) -?retains the requirement for a specific CISO for the covered entity while defining CISO as "a qualified individual responsible for overseeing and implementing a covered entity's cybersecurity program and enforcing its cybersecurity policy."?
• Senior governing body (i.e., board or equivalent) oversight (500.4(d)) -?requires a "senior governing body" of the covered entity to exercise effective cybersecurity-related oversight and clarifies that for any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d), the senior governing body may be that of the affiliate.
• Vulnerability management (500.5)- requires that vulnerability management policies and procedures require that covered entities conduct, at a minimum, annual penetration testing, automated scans of information systems, and a manual review of the scans. Also adds a requirement that all vulnerabilities must be timely remediated and prioritized by the risk posed to the covered entity.
• Access and privilege management (500.7) -?requires that, based on the covered entity's risk assessment, the covered entity take specific steps related to access and privilege management (e.g., limiting the number of privileged accounts and access functions of privileged accounts to only those necessary to perform the user's job; periodically, but at a minimum annually, reviewing all user access privileges and removing or deactivating accounts and access that are no longer necessary; etc.).
• Password policy (500.7) -??requires a written password policy that meets industry standards to the extent that passwords are an authentication method.
• Application security (500.8) -?requires that application security procedures, guidelines, and standards be reviewed at least annually.
• Risk assessment (500.9). Specifies that risk assessment must be reviewed and updated at least annually and when a change in the business or technology causes a material change to the covered entity's cyber risk.?
• Multi-factor authentication (MFA) (500.12)-?requires that MFA be used for any individual accessing the covered entity's information systems unless the entity is eligible for a limited exception. Also specifies that the CISO?may?approve?in writing?compensating controls and that such controls, if applied, must be reviewed annually.
• Asset management and data retention (500.13(a)) -?requires implementing policies and procedures to maintain a complete and accurate asset management inventory of the covered entity's information systems.?
• Monitoring (500.14(b)) -?requires covered entities to implement risk-based controls designed to protect against malicious code (which includes controls that monitor and filter web traffic and email to block malicious content).
• Training (500.14(a)(3)) -?requires training must occur annually and include social engineering training.
• Encryption (500.15) -?requires a policy requiring encryption that meets industry standards and removes the infeasibility exception for encryption in transit while maintaining the infeasibility exception for encryption at rest (but clarifies that the CISO's annual review and approval of feasibility and compensating controls must be in writing).
• Incident response and business continuity and disaster recovery (500.16) - requires that incident response plans address disruptive events such as ransomware incidents, recovery from backups, and preparation of root cause analysis, and undergo annual resting.?
• Notice of cybersecurity incidents and extortion payments (500.17(a); 500.17(c)) -?requires notice of all cybersecurity incidents within 72 hours after determining that the event has occurred. The notice must: le.

• Include an explanation of extortion payments made in connection with cybersecurity events involving the covered entity within 24 hours of the payment.?

• Within 30 days of the extortion payment, the covered entity must submit a written description of the reasons payment was necessary, a description of alternatives considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable rules and regulations.

• Certification (500.17(b)). Revises the certification process to include options for the covered entity regarding their compliance status.
• Enforcement (500.20). Adds language specifying that violations of Part 500.

?

Key Dates

• Series of staggered transition periods for various provisions.
• December 1, 2023 - compliance with section 500.17(a) requires providing NYDFS with notice of cybersecurity events reported to other authorities and ransomware.?
• April 15, 2024 - compliance with section 500.17(b) requires all entities to submit a Certification of Material Compliance or Acknowledgment of Noncompliance for 2023.?

More Information

DFS guidance is available at the?Cybersecurity Resource Center , which features tools and information.?

?