Privacy/Data Security/Cyber Risk

Subscribe to Privacy/Data Security/Cyber Risk via RSS

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.Read More NY DFS Hosts Webinar on MFA Requirements

Key Point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.Read More Important Guidance on Third-Party Service Provider Cyber Risk

The insurance industry is facing increased scrutiny from insurance regulators related to its use of artificial intelligence (AI). Red teaming can be leveraged to address some of the risks associated with an insurer’s use of AI. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) defines a “red team”[1] as:Read More Red Teaming Is an Effective Tool for Insurer Assessment of AI Risks

On June 23, the New York State Department of Financial Services (NYDFS) issued an industry letter to all regulated entities — banks, insurers, money transmitters, virtual currency companies, and others — cautioning that escalating global conflicts are intensifying threats to the U.S. financial system. The letter highlights increased risk from destructive cyberattacks, sanctions evasion, and illicit activity involving virtual assets. NYDFS urges institutions to take immediate, proactive steps to strengthen operational resilience, ensure compliance, and protect the financial sector from geopolitical spillover.Read More NYDFS Warns of Heightened Risk From Global Conflicts: What Regulated Entities Must Do Now

Locke Lord’s Privacy & Cybersecurity Newsletter provides topical snapshots of recent developments in the fast-changing world of privacy, data protection and cyber risk management.
Read More December 2023 Privacy & Cybersecurity Newsletter: A Busy Year-End (States, EU, UK, Incident Response and Litigation)