Privacy/Data Security/Cyber Risk

Subscribe to Privacy/Data Security/Cyber Risk via RSS

Key Point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.Read More Important Guidance on Third-Party Service Provider Cyber Risk

The insurance industry is facing increased scrutiny from insurance regulators related to its use of artificial intelligence (AI). Red teaming can be leveraged to address some of the risks associated with an insurer’s use of AI. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) defines a “red team”[1] as:Read More Red Teaming Is an Effective Tool for Insurer Assessment of AI Risks

On June 23, the New York State Department of Financial Services (NYDFS) issued an industry letter to all regulated entities — banks, insurers, money transmitters, virtual currency companies, and others — cautioning that escalating global conflicts are intensifying threats to the U.S. financial system. The letter highlights increased risk from destructive cyberattacks, sanctions evasion, and illicit activity involving virtual assets. NYDFS urges institutions to take immediate, proactive steps to strengthen operational resilience, ensure compliance, and protect the financial sector from geopolitical spillover.Read More NYDFS Warns of Heightened Risk From Global Conflicts: What Regulated Entities Must Do Now

Locke Lord’s Privacy & Cybersecurity Newsletter provides topical snapshots of recent developments in the fast-changing world of privacy, data protection and cyber risk management.
Read More December 2023 Privacy & Cybersecurity Newsletter: A Busy Year-End (States, EU, UK, Incident Response and Litigation)

Specialty insurer Beazley sponsored the first Cyber Insurance Catastrophe (CAT) bond recently, a new type of ILS or insurance linked security issued by a Bermuda entity. They announced the $45 million private placement on January 9, 2023. The bonds provide investors with a generous floating rate of interest and a return of principal in one year, provided that no single catastrophic event occurs across Beazley’s portfolio of cyber insurance policies that results in more than $300 million of losses. Any losses above $300 million incurred by Beazley on those policies as a result of that one event would be absorbed by the investors, up to the $45 million principal amount. The deal was marketed under an NDA, so not all of the details are available, but the bonds will not protect against losses from a state-sponsored cyberattack, which is typically excluded from cyber insurance policies as an act of war.
Read More A New Type of ILS Investment – Cyber Insurance CAT Bonds