Resources

DOJ Guidance on Best Practices for Victim Response and Reporting of Cyber Incidents –  This “best practices” document was drafted by the Cybersecurity Unit of the DOJ to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident.

FINRA Report on Cybersecurity Practices – This report presents an approach to cybersecurity grounded in risk management that is intended to assist broker-dealer firms develop and enhance their cybersecurity programs.

NAIC Model 673 – This model regulation prepared by the National Association of Insurance Commissioners establishes standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information, pursuant to Sections 501, 505(b), and 507 of the Gramm-Leach-Bliley Act.

NIST Framework – The NIST Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

NYDFS Report on Cybersecurity in the Insurance Sector – This report by the New York Department of Financial Services outlines a horizontal perspective of the insurance industry’s efforts to prevent cybercrime, protect consumers and clients in the event of a breach, and ensure the safety and soundness of their organizations.

Regulation S-P (the “Safeguards Rule”) – Rule 30 of Reg. S-P is the primary source of the SEC and FINRA’s authority over securities firms’ cybersecurity programs.

Regulation S-ID (the “Red Flags Rule”) – The Red Flags Rule requires companies that fall within its scope to “develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.”

SEC OCIE Cybersecurity Examination Sweep Summary – This summary provides observations from the examinations conducted by the SEC under the Cybersecurity Examination Initiative in order to provide perspectives from a cross-section of the financial services industry and to assess various firms’ vulnerability to cyberattacks.

SEC OCIE Cybersecurity Initiative – The SEC’s OCIE issued this Risk Alert in 2014, providing a sample list of requests for information that OCIE may use in conducting examinations to assess cybersecurity preparedness in the securities industry.

SEC Division of Corporate Finance Disclosure Guidance – This document provides the SEC Division of Corporation Finance’s guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents.