Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P
|
|
- Erin Jackson
- 6 years ago
- Views:
Transcription
1 CATHERINE M. TULLY Director, Government Affairs Submit via electronic mail: November 15, 2016 Ms. Cassandra Lentchner Deputy Superintendent for Compliance NYS Department of Financial Services One State Street New York, New York Dear Ms. Lentchner: Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P The Business Council is New York s largest statewide employer association, representing more than 2,400 private sector employers in all business sectors located across the state. The Business Council applauds the Department of Financial Services (DFS) for initiating the discussion on cybersecurity. This is a complex issue in a technology arena where the landscape is constantly changing. The proposed rulemaking brings attention to the challenges of maintaining internet safety and security, and highlights the potential risks of placing non-public information and data in jeopardy. Regardless of how vigilant and rigorous a cybersecurity program may be, it cannot perfectly secure every act, thus businesses need flexibility to focus on the information that is critical to securing its market. Consequently, a one size fits all approach is neither effective nor manageable. The diverse membership of the Business Council includes many of the industry leaders, as well as small and mid-size businesses from every segment of the market including finance, manufacturing, insurance, telecommunication, technology. Our economy is a global economy and since many of the companies operate not just in New York State, but in other states and in foreign markets they must anticipate threats levied against their systems from a variety of avenues. All of these industries require safeguards for both the propriety information common to industry-specific markets and the customer data entrusted to them by consumers. Protected, proactive steps include the employment of state of the art cybersecurity programs and the retention of experts on internet security. The complexity, cost and the transition time needed to effectively implement the proposed regulation should be the result of a deliberative process to ensure that the business community and the third party vendors have the opportunity to engage with the Department to ensure compliance with the proposal is reasonable, effective and consistent with federal and state laws and regulations. The Business Council has received input from a number of our members many will be submitting detailed comments addressing their individual concerns. However, in our discussions, there were several issues that had a commonality, including the following:
2 The proposal applies to all Covered Entities, defined to include the DFS registered and licensed entities ( (c)). Some DFS registered and licensed entities, however, do not maintain any Information Systems and do not possess any Nonpublic Information, as those terms are defined in the proposal. In some instances, entities become licensed in New York for the limited purpose of complying with requirements under the insurance laws and related regulations requiring licensure for insurance producers as a condition of receiving commission payments. Other firms may only open a sales office in New York State that must be registered pursuant to DFS requirements. But if these entities do not actually maintain information systems and personal data or other information governed by the proposal, then any final rule resulting from the proposal, we suggest, should not apply. According, it is recommended that the DFS revise the definition of Covered Entity to exclude entities that do not operate or maintain an Information System and do not generate, receive or possess Nonpublic Information. The broadly defined Cybersecurity Event (d) will require institutions to report any attempt on an information system, even unsuccessful attempts, to the Superintendent within 72 hours. In addition, (a) (2) requires reporting where there is potential unauthorized tampering with nonpublic information. Compliance will be a challenge as entities must be able to identify these unsuccessful attempts to access their systems and then document what conceivably could be thousands of such attempts on a daily basis. Further, this extraordinary number of events will result in inundating DFS with reports of potential threats, a majority of which were blocked, prevented or otherwise defended. It is recommended that the definition establish a higher threshold for reportable incidents so that staff and resources at the Covered Entities and at the Department direct their efforts on the actual acts and threats that information systems encounter every day set forth the required Notices to the Superintendent. As stated above, businesses can and do receive thousands of attempted threats daily to penetrate their information technology systems. Seventy-two hours is a short span of time for a business to provide a comprehensive report to DFS of every event that is identified as an attempted cybersecurity event. Moreover, at a time when an entity is responding to an actual act or threat, filing a report should not be the priority. The attention must be given to focusing on the actual act, assessing the situation, bringing in experts and determining any impacts. These necessary actions require more than 72 hours. We believe that New York State Law already provides reasonable notification to the Attorney General and law enforcement agencies to disclose breaches in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement (General Business Law 899-aa; State Technology Law 208). A rule with a workable timeframe more in tune with the realities of reacting to a confirmed material act rather than attempts to disrupt the system and consistent with current law is recommended. The definition of Nonpublic information (NPI) (g) essentially captures any information held by an institution including business related information as well as personal information. This wording appears to protect information that is not identifiable or is aggregated such that it is not attributable to an individual. The definition should be modified to limit its focus on the types of sensitive information that is personally identifiable information. Specifically, (g) (4) should be removed from the definition. It includes information that is linkable even if not currently used to identify a customer. Without limiting the definition to information that is already linked to a customer, any information collected or tracked by a Covered Entity could potentially be included in the definition. Moreover, the inclusion of information about an individual used for market purposes should be stricken because it could potentially include information created by a Covered Entity based on that customer s use of the site. Such information would be information that a Covered Entity creates about an individual that is of no use or benefit outside of the Covered Entity s internal systems.
3 The Encryption of Nonpublic Information would cover virtually all nonpublic information relating to a customer regardless of sensitivity. There is concern over the lack of flexibility to assess what an entity is protecting and to ensure that it is the sensitive personal information. The proposal would require encryption of any system on which customer information is maintained as well as every electronic transmission of customer information. There are a variety of technical controls that may be taken to protect data that are as effective as encryption. Institutions should be able to select other methods based on their risk assessment. It is recommended that institutions have the flexibility to assess what they are protecting and implement accordingly. The definition of Publicly Available Information (j) should reference any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public. The rest should be deleted. As currently drafted, Covered Entities could be deemed to have an obligation to determine the source of publicly disseminated information to determine whether it meets the definition. A Covered Entity should not have the burden of determining the source of the information, provided that information was found in the public domain, nor should they have the burden of determining whether a particular news source is sufficiently widely distributed to meet the standard. It is not possible to know distribution of online materials and news sources. Moreover, the definition fails to include information that has been made available to the general public by the individual themselves. The implementation of a Third Party Information Security Policy ( ) is an important component in protecting and securing the information systems. However this is also an area where a uniform, one size fits all model is not workable. Institutions need the flexibility to evaluate separately what types, if any sensitive information it is sharing with each of their third party provider relationships and craft the appropriate terms on a case by case basis. In addition, requiring Covered Entities to include preferred provisions in contracts with third party providers imposing multi-factor authentication and encryption requirements would present significant challenges for vendor procurement. In particular, requiring representations and warranties that no service provider could possibly provide (i.e., that their service or product is free of viruses, trap doors, time bombs and other mechanisms) and could result in hardship finding providers willing to enter into contracts to warrant those significant security requirements that are not risk based and do not take into account the specific relationship. Institutions can, based on a risk assessment approach, determine the types of service providers on which to impose security obligations [ (b) (5)]. It is also noted that requiring identity protection services in certain data breach situations may not be necessary, and we suggest that language provide some flexibility and allow provision for appropriate remedies, including identity protection services (b)(4). The proposed regulation would also impose requirements directly on the Boards of Directors of Covered Entities (b). New York Business Corporation Law ( 701) states that the business of a corporation shall be managed under the direction of its board of directors. As such, it is the Board s role to provide oversight to the management of the corporation. Therefore, while Boards should be exercising oversight in the area of risk, which would include cybersecurity, it would be outside of their duties to play an operational role in the management of that risk. However, certain aspects of the proposed regulation go too far in pushing the Board toward a more operational role in cybersecurity, as well as micromanaging how the Board conducts its oversight. For example, (b) would require the Chief Information Security Officer to report to the Board biannually on specific topics and details. The report to the Board would be required to contain specific categories of information such as detail[ed] exceptions to the Covered Entity s cybersecurity policies and procedures (b) (2). Mandating the Board to review such technical operational matters
4 would divert valuable time and attention of the Board away from its important role of overall oversight from a strategic perspective, and it could have the unintended consequence of creating more risk for an organization. Similarly, the proposed regulation would also require the Board to review the company s written cybersecurity policy and annually certify as to the adequacy of the cybersecurity program. Again, certifying the adequacy of a highly technical program is outside the scope of the appropriate role of a Board of Directors and unlike anything else a Board typically does in executing its oversight role. A one size fits all approach that micromanages the operation of Boards of Directors is neither appropriate, given the complex differences among Covered Entities, nor necessary. The Business Corporation Law ( 717) already requires Board members to act in good faith and with that degree of care which an ordinarily prudent person in a like position would use under similar circumstances, and there is a well-established body of law governing how Boards should exercise their responsibilities. Given the importance of cybersecurity in this day and age, these fiduciary duties dictate that Board members involve themselves in the oversight of cybersecurity strategy. The DFS should not impose new, operational duties on Boards that would take away from these oversight functions. It is recommended that the language in the Certification of Compliance (attachment A) be amended such that: (1) The Board of Directors (or name of Senior Officer(s)) have reviewed the management of the company s cybersecurity program in the past year. and (2) The Board of Directors (or name of Senior Officer(s)) have reviewed the assessment of compliance to the NYS cyber regulation. The audit trail provision ( ) requires tracking and maintaining data for six years. Security systems are constantly being updated, and retention of all records for that period of time would likely not provide any useful information and would create significant storage burdens. Again, allowing entities the flexibility to determine the appropriate retention time, such as a period of one year, is more reasonable and consistent with industry standards. Cybersecurity is a difficult challenge for government and businesses alike. As previously stated, it is critical that the development of regulations provide the necessary rigors and flexibility to ensure compliance; this requires further discussion and study. The Business Council recommends that consideration be given to the complexity of compliance with the rulemaking and that DFS extend out the effective date of January 1, 2017 to allow for revisions to the proposal based on the issues raised and the proposed amendments submitted by the Business Council, its members and others. Moreover, it is recommended that extension of the timetable beyond the transitional period of 180 days is necessary for Covered Entities to develop and properly assess all the policies, procedures and controls required by this proposed regulation. This proposal purports to regulate financial institutions that are already subject to regulation and oversight under federal law. Members have raised concern that compliance with federal standards and requirements along with New York s proposal will lead to disarray and misaligned cybersecurity measures across the industry instead of working toward greater coordination and harmonization. The proposed regulation should be done in such a manner that is consistent with the evolving federal framework. In conclusion, the proposal s rigid standards of regulation do not take into account the varying sizes, resources and types of financial services companies and third party providers to which it would apply. Complying with this proposal would involve a significant investment of time, staffing and resources. It is a challenge for businesses to protect and maintain a viable, safe and effective information system. A
5 risk-based approach provides the flexibility and the opportunity for them to assess and implement methods necessary to ensure the integrity of their systems. Thank you for the opportunity to comment on this very important proposed regulation. Sincerely, Catherine M. Tully Director of Government Affairs
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the
More informationCAPTIVE INSURANCE COMPANY REPORTS
CAPTIVE INSURANCE COMPANY REPORTS New York Adopts Cyber-Security Requirements P. Bruce Wright, Saren Goldner, Daren Moreira Eversheds Sutherland LLP April 2017 Editor s Note: This article by P. Bruce Wright,
More informationNEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS
REGULATORY LAW ALERT JUNE 2017 NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS OVERVIEW In potentially the most significant state-level expansion
More informationBy David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz
CYBERSECURITY LAW & STRATEGY AUGUST 2017 Third-Party Cybersecurity Strategies Critical to Preparedness By David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz Understanding
More informationWhat we will cover today
CYBERSECURITY WHAT YOU NEED TO KNOW March 30, 2017 Independent Insurance Agents Assoc of Western NY What we will cover today Broad overview of the regulation How did it come about? Who does it apply to?
More informationFREQUENTLY ASKED QUESTIONS REGARDING 23 NYCRR PART 500
FREQUENTLY ASKED QUESTIONS REGARDING 23 NYCRR PART 500 Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements
More informationNEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the
More informationWhat You Need to Know to Make Sure Your Insurance Business Complies
New York State Department of Financial Services New Cybersecurity Regulation 23 NYCRR Part 500 What You Need to Know to Make Sure Your Insurance Business Complies Presented by: NAIFA-NYS, Peter J. Molinaro,
More informationHIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018
1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,
More informationH 7789 S T A T E O F R H O D E I S L A N D
======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives
More informationCalifornia s Consumer Privacy Act Vs. GDPR
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com California s Consumer Privacy Act Vs. GDPR
More informationFRAMEWORK FOR CONSUMER PRIVACY LEGISLATION
FRAMEWORK FOR CONSUMER PRIVACY LEGISLATION OBJECTIVES This framework is a call to action: The United States should adopt a national privacy law that protects consumers by expanding their current rights
More informationPRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016
PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY Annmarie Giblin, Esq. Thursday, April 21, 2016 AGENDA: I. INTRODUCTION II. DATA PRIVACY V. DATA SECURITY III. DEFINING
More informationCybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do
ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction
More informationTake It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m.
Take It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m. Margarita Gutierrez, Deputy City Attorney, City and County of San Francisco Rosa M. Sanchez,
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationTitle Insurance and Settlement Company Best Practices
ALTA Best Practices Framework: Title Insurance and Settlement Company Best Practices Page 1 of 8 ALTA Best Practices Framework The ALTA Best Practices Framework has been developed to assist lenders in
More informationDATA PROTECTION ADDENDUM
DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd.
More informationCAPITAL WORKPAPERS TO PREPARED DIRECT TESTIMONY OF GAVIN H. WORDEN ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY BEFORE THE PUBLIC UTILITIES COMMISSION
Application of SOUTHERN CALIFORNIA GAS COMPANY for authority to update its gas revenue requirement and base rates effective January 1, 219 (U 94-G) ) ) ) ) Application No. 17-1- Exhibit No.: (SCG-27-CWP)
More informationEnhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking
Draft 11/29/16 Enhanced Cyber Risk Management Standards Advance Notice of Proposed Rulemaking The left column in the table below sets forth the general concepts that the federal banking agencies are considering
More informationDATA PROCESSING AGREEMENT/ADDENDUM
DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)
More informationTestimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee
Testimony Submitted for the Record from the American Bankers Association for the Financial Institutions and Consumer Credit Subcommittee of the Committee on Financial Services United States House of Representatives
More informationData Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor
Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor This Addendum is applicable only in those situations where the Selected
More informationSouth Carolina General Assembly 122nd Session,
South Carolina General Assembly 122nd Session, 2017-2018 R184, H4655 STATUS INFORMATION General Bill Sponsors: Reps. Sandifer and Spires Document Path: l:\council\bills\nbd\11202cz18.docx Companion/Similar
More informationHot Topics IN PLAN AUDITS
Hot Topics IN PLAN AUDITS . A. Ted Hotz, CPA Audit Vice President Pugh CPAs Who Audits the Auditor? Department of Labor AICPA Peer Review program Review by another firm every 3 years Review requirement
More informationMortgage Payoffs Under Siege
NOVEMBER 8, 2018 Mortgage Payoffs Under Siege Cybercriminals target mortgage payoffs in new fraud schemes Created and published by Thomas W. Cronkright II, Esq. CEO/Co-Founder CertifID LLC 1410 Plainfield
More informationCybersecurity Insurance: New Risks and New Challenges
SESSION ID: SDS1-F01 Cybersecurity Insurance: New Risks and New Challenges Mark Weatherford Chief Cybersecurity Strategist varmour @marktw The cybersecurity market in the Asia Pacific region contributes
More informationRegenstrief Center for Healthcare Engineering HIPAA Compliance Policy
Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy Revised December 6, 2017 Table of Contents Statement of Policy 3 Reason for Policy 3 HIPAA Liaison 3 Individuals and Entities Affected
More informationGeorgia Health Information Network, Inc. Georgia ConnectedCare Policies
Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health
More informationAppLovin Data Processing Agreement
AppLovin Data Processing Agreement This AppLovin Data Processing Agreement ( DPA ) is incorporated into and is subject to the AppLovin Terms of Use Agreement available at https://www.applovin.com/terms
More informationNATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE
NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance
More informationNorthway Bank. Mobile Deposit Addendum. Addendum to the Online Banking Agreement
Northway Bank Mobile Deposit Addendum Addendum to the Online Banking Agreement This Mobile Deposit Addendum (the Addendum ) to the Northway Bank Online Banking Agreement (the Agreement ) contains the terms
More informationDear Ms. Lawrence and Members of the Board of Commissioners:
THOMAS P. DiNAPOLI COMPTROLLER STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER 110 STATE STREET ALBANY, NEW YORK 12236 GABRIEL F. DEYO DEPUTY COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY
More informationIFB STPD A. Statement of Work, Appendix C SPECIAL TERMS AND CONDITIONS TELECOMMUNICATIONS FOR CALNET 3, CATEGORY 1 VOICE AND DATA SERVICES
Statement of Work, Appendix C SPECIAL TERMS AND CONDITIONS TELECOMMUNICATIONS FOR CALNET 3, CATEGORY 1 VOICE AND DATA SERVICES 7/9/2013 Issued by: STATE OF CALIFORNIA California Department of Technology
More informationInvestigatory Powers Bill ISPA response
About ISPA 1. The Internet Services Providers Association (ISPA) is the trade association for companies involved in the provision of Internet Services in the UK with around 200 members from across the
More informationThe Harm Trigger. Section 2 (Purpose and Intent) and the Risks to Uniformity
Thanks Jennifer. I talked to my folks and the general thought is that they are supportive of version of 2A that you presented on the call last week. In terms of some potential enhancements here is our
More informationData Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted
2018 Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted After only a few days of legislative debate, Governor Jerry Brown of California signed a bill enacting the California Consumer
More informationREFERENCE ACCESS OFFER. TNB IT Sdn. Bhd. VERSION 1.0 OF th August 2017
3 of 2016 REFERENCE ACCESS OFFER of TNB IT Sdn. Bhd. VERSION 1.0 OF 2017 30th August 2017 3 of 2016 CONTENTS INTRODUCTION 5 LEGAL BASIS OF TNB-IT RAO 5 STRUCTURE OF TNB-IT RAO 5 CHANGES TO TNB-IT RAO 6
More informationTo the Board of Trustees Whitworth University Spokane, Washington
Baker Tilly Virchow Krause, LLP 225 S Sixth St, Ste 2300 Minneapolis, MN 55402-4661 tel 612 876 4500 fax 612 238 8900 bakertilly.com To the Board of Trustees Whitworth University Spokane, Washington Thank
More informationON24 DATA PROCESSING ADDENDUM
ON24 DATA PROCESSING ADDENDUM This Data Processing Addendum ( Addendum ) is entered into by and between ON24 Inc., on behalf of itself and its Affiliates ( ON24 ), and Client, on behalf of itself and its
More informationCybersecurity Insurance: The Catalyst We've Been Waiting For
SESSION ID: CRWD-W16 Cybersecurity Insurance: The Catalyst We've Been Waiting For Mark Weatherford Chief Cybersecurity Strategist varmour @marktw Agenda Insurance challenges in the market today 10 reasons
More informationOAIC Discussion Paper The role of fees and charges in the FOI Act NBN Co Responses
GENERAL QUESTIONS 1. What is the role of fees and charges in the FOI Act? NBN Co Limited (NBN Co or the Company) recognises that information is a vital and an invaluable resource, both for the Company
More informationData Processing Appendix
Company Name* Execution Date *Company name indicated must conform to the name on customer s Master Subscription Agreement executed with SugarCRM. This Data Processing Appendix on the processing of personal
More informationData Protection Agreement
Data Protection Agreement This Data Protection Agreement (the DPA ) becomes effective on May 25, 2018. The Customer shall make available to GURTAM and the Customer authorizes GURTAM to process information
More informationThe 2016 ERISA Advisory Council. Executive Summary to The Secretary of Labor November 10, 2016
Executive Summary to The Secretary of Labor November 10, 2016 Mark E. Schmidtke, Council Chair Beth A. Almeida Patricia M. Haverland Christine S. Hwang Cynthia J. Levering Stacy R. Scapino Jeffrey G. Stein
More informationCritical Issues in Cybersecurity:
Critical Issues in Cybersecurity: Are you prepared and in compliance? July 27, 2017 Robert Barbarowicz Scott Lyon JillAllison Opell 1 What Types of Information do We Collect? PII v. PHI v. NPI v. sensitive/confidential
More informationThe 2016 ERISA Advisory Council
The 2016 ERISA Advisory Council Executive Summary to The Secretary of Labor November 10, 2016 The 2016 ERISA Advisory Council Mark E. Schmidtke, Council Chair Beth A. Almeida Patricia M. Haverland Christine
More informationINSTITUTE OF INTERNATIONAL BANKERS
RICHARD W. COFFMAN General Counsel E-mail: rcoffman@iib.org 299 Park Avenue, 17th Floor New York, N.Y. 10171 Direct: (646) 213-1149 Facsimile: (212) 421-1119 Main: (212) 421-1611 www.iib.org Submitted
More informationAbout Chubb. Chubb Limited, the parent company of Chubb, is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index.
About Chubb Chubb is the world's largest publicly traded property and casualty insurer. With operations in 54 countries, Chubb provides commercial and personal property and casualty insurance, personal
More informationDATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)
DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses) This Data Processing Agreement ("DPA") forms part of the Master Services and Subscription Agreement between Customer and
More informationSCCCI Personal Data Protection Policy
SCCCI Personal Data Protection Policy At SCCCI, we are committed to protecting and safeguarding the personal data we collected from you. This Personal Data Protection Policy describes the types of personal
More informationWhat U.S.- Based Investment Advisers Should Know
BulletPoint June 2018 What U.S.- Based Investment Advisers Should Know The European Union s ( EU ) General Data Protection Regulation (the GDPR ) became effective on May 25, 2018, and provides individuals
More informationFederal Banking Agencies Request Comment on Enhanced Cybersecurity Standards
Federal Banking Agencies Request Comment on Enhanced Cybersecurity Standards October 20, 2016 Financial Institutions, Cybersecurity On October 19, 2016, the Board of Governors of the Federal Reserve System
More informationIt is the policy of Citizens Deposit Bank & Trust to adhere to the following Privacy Policy.
It is the policy of Citizens Deposit Bank & Trust to adhere to the following Privacy Policy. Purpose and Objectives This policy reaffirms and formalizes our bank's realization of and respect for the privacy
More informationPayment Card Industry (PCI) Data Security Standard Validation Requirements
Payment Card Industry (PCI) Data Security Standard Validation Requirements For Qualified Security Assessors (QSA) Version 1.2 October 2008 Document Changes Date Version Description October 2008 1.2 To
More informationOECD GUIDELINES ON INSURER GOVERNANCE
OECD GUIDELINES ON INSURER GOVERNANCE Edition 2017 OECD Guidelines on Insurer Governance 2017 Edition FOREWORD Foreword As financial institutions whose business is the acceptance and management of risk,
More informationCYBER LIABILITY REINSURANCE SOLUTIONS
CYBER LIABILITY REINSURANCE SOLUTIONS CYBER STRONG. CYBER STRONG. State-of-the-Art Protection for Growing Cyber Risks Businesses of all sizes and in every industry are experiencing an increase in cyber
More informationInformation Security and Third-Party Service Provider Agreements
The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements
More informationRe: Consultation on Information security management: A new cross-industry prudential standard
File Name: 2018/17 15 June 2018 General Manager, Policy Development Policy and Advice Division Australian Prudential Regulation Authority GPO Box 9836 SYDNEY NSW 2001 via e-mail to: PolicyDevelopment@apra.gov.au
More informationRECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC.
RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC. THIS RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT (this Agreement ) is by
More informationCLOUD COMPUTING RISKS AND HOW TO MITIGATE THEM
CLOUD COMPUTING RISKS AND HOW TO MITIGATE THEM Jeff Andrews April 20, 2017 TODAY S TOPICS Key Risks and Mitigating Contract Provisions Best Practices and Market Realities Data Safeguarding, Data Breaches
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors) This Data Processing Addendum ( DPA
More informationI. Auditors Communication of Significant Matters with Those Charged with Governance
September 27, 2017 Management and the Board of Education Lewis Cass Intermediate School District 61682 Dailey Road Cassopolis, Michigan 49031 We have completed our audit of the financial statements of
More informationCyber-Insurance: Fraud, Waste or Abuse?
SESSION ID: STR-F03 Cyber-Insurance: Fraud, Waste or Abuse? David Nathans Director of Security SOCSoter, Inc. @Zourick Cyber Insurance overview One Size Does Not Fit All 2 Our Research Reviewed many major
More informationNovember 28, Morten Linnemann Bech CPMI Secretariat Bank for International Settlements Centralbahnplatz Basel Switzerland
November 28, 2017 Morten Linnemann Bech CPMI Secretariat Bank for International Settlements Centralbahnplatz 2 4051 Basel Switzerland Via Email (cpmi@bis.org) Re: Proposed Strategy to Address Wholesale
More information(a) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and
HIPAA Compliance Beyond Health Care Organizations A Primer Peter Koso May 24, 2001 Introduction This review is intended to assist Security Officers with the first implementation steps for meeting any or
More informationIT Risk in Credit Unions - Thematic Review Findings
IT Risk in Credit Unions - Thematic Review Findings January 2018 Central Bank of Ireland Findings from IT Thematic Review in Credit Unions Page 2 Table of Contents 1. Executive Summary... 3 1.1 Purpose...
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement dated as of is made by and between, on behalf of its (School/Department/Division) (hereinafter referred to as Covered Entity ) and, (hereinafter Business Associate
More informationParticipant Webinar: DURSA Amendment Summary. March 23, 2018
Participant Webinar: DURSA Amendment Summary March 23, 2018 How Do I Participate? Problems or Questions? Contact Dawn Van Dyke dvandyke@sequoiaproject.org ` 2 DURSA Historical Milestones Jul Nov 2009 May
More informationHOW TO EXECUTE THIS DPA:
DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic
More informationDATA PRIVACY I. POLICY DEFINITIONS
DATA PRIVACY I. POLICY CBRE is committed to respecting and protecting the privacy of individuals and keeping Personal Information secure by complying with applicable data protection, privacy and information
More informationVirus Protection and Personal Internet & Identity Theft Coverage Terms and Conditions
Virus Protection and Personal Internet & Identity Theft Coverage Terms and Conditions Total Internet Protection Plan Summary: Identity Theft Coverage and Virus Protection Coverage is aggregately valued
More informationCybersecurity and the Law Seminar
Cybersecurity and the Law Seminar A practical walk-through of the legal landscape, enforcement, management liability and discussions on potential real-world situations Zurich 25 September 2018 What can
More informationFiduciary Duties of Directors of Charitable Organizations
Guide for board members Fiduciary Duties of Directors of Charitable Organizations From the Office of Minnesota Attorney General Lori Swanson Introduction The Attorney General s Office has prepared this
More informationInvestment Management Alert
Investment Management Alert December 10, 2015 If you read one thing... Proposed Regulation AT sets out minimum pre-trade safeguards and internal policy requirements on all AT Persons, which would generally
More information1.4. If you do not agree with any of the provisions in these Terms & Conditions, do not accept a Mintebi Consultation or use the Website.
EXPERT ENGAGEMENT LETTER - JUNE 12 2017 1. Introduction 1.1. These terms and conditions ( Terms & Conditions ) are entered into between you ( you, your, Advisor, Subject-matter expert, Consultant or Expert
More informationFLORIDA DEPARTMENT OF FINANCIAL SERVICES DIVISION OF AGENT AND AGENCY SERVICES
FLORIDA DEPARTMENT OF FINANCIAL SERVICES DIVISION OF AGENT AND AGENCY SERVICES DFS AA RCP 14/15-06 Preparation and Development of the Florida General Lines Agents /Customer Representatives and the Florida
More informationElectronic Plan Administration
Page 1 of 5 Electronic Plan Administration August 6, 2001 Ms. Anne Combs, Assistant Secretary Pension and Welfare Benefits Administration United States Department of Labor 200 Constitution Ave, NW Washington,
More informationQuality of Internal Control Certification. Office of Parks, Recreation and Historic Preservation
New York State Office of the State Comptroller Thomas P. DiNapoli Division of State Government Accountability Quality of Internal Control Certification Office of Parks, Recreation and Historic Preservation
More informationAGENCY: Board of Governors of the Federal Reserve System. SUMMARY: Under section 805(a)(1)(A) of the Dodd-Frank Wall Street Reform and
FEDERAL RESERVE SYSTEM 12 CFR Part 234 Regulation HH; Docket No. R-1412 RIN No. 7100-AD71 Financial Market Utilities AGENCY: Board of Governors of the Federal Reserve System. ACTION: Notice of Proposed
More informationINTERNET BANKING SERVICES TERMS AND CONDITIONS
SINGAPORE BRNACH 76 Shenton Way, #01-02, Singapore 079119 TEL: (65)6221-5755 FAX: (65)6225-1905 INTERNET BANKING SERVICES TERMS AND CONDITIONS YOU MUST READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE
More informationARTICLES OF ASSOCIATION OF THE BANK HANDLOWY W WARSZAWIE S.A.
Uniform text of the Articles of Association of the Bank Handlowy w Warszawie S.A. edited by the Resolution of the Supervisory Board of November 14, 2015 with the amendments adopted by the Resolution No
More informationFIGHTING FOR YOUR CLIENTS EMPLOYEE BENEFITS How to Handle an ERISA Benefit Appeal By Talia Ravis, esq. Law Office of Talia Ravis
FIGHTING FOR YOUR CLIENTS EMPLOYEE BENEFITS How to Handle an ERISA Benefit Appeal By Talia Ravis, esq. Law Office of Talia Ravis 1. Purpose. More often than not, insurance claimants seek legal assistance
More informationGeorgia Power Valdosta Federal credit union Privacy Policy
Georgia Power Valdosta Federal credit union Privacy Policy Review/Revision Date: October 20,2016 Approval Date: February 26, 2001 Approved by: Board of Directors General Policy Statement: The Georgia Power
More informationDTCC DERIVATIVES REPOSITORY OPERATING PROCEDURES
DTCC DERIVATIVES REPOSITORY OPERATING PROCEDURES 1. Introduction DTCC DERIVATIVES REPOSITORY PLC (the Company ), a company organized under the laws of England and Wales, has entered into User Agreements
More informationSTATE STREET GLOBAL ADVISORS TRUST COMPANY INVESTMENT FUNDS FOR TAX EXEMPT RETIREMENT PLANS AMENDED AND RESTATED FUND DECLARATION
STATE STREET GLOBAL ADVISORS TRUST COMPANY INVESTMENT FUNDS FOR TAX EXEMPT RETIREMENT PLANS AMENDED AND RESTATED FUND DECLARATION STATE STREET SHORT TERM INVESTMENT FUND (the Fund ) Pursuant to Article
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement (the DPA ), entered into by the Customer and the company Ganttic OÜ (company registration number 11979702) having its registered office at Lai tn
More informationAPPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London SECTION I. GENERAL INFORMATION 1. Name of Applicant: Physical Address: (as it should appear
More informationCHARITY & NFP LAW BULLETIN NO. 419
CHARITY & NFP LAW BULLETIN NO. 419 APRIL 25, 2018 EDITOR: TERRANCE S. CARTER IMPLICATIONS OF THE EU S GENERAL DATA PROTECTION REGULATION IN CANADA By Esther Shainblum & Sepal Bonni * A. INTRODUCTION The
More informationMentor Public Schools Board of Education 8.18 Policy Manual page 1 Chapter VIII Fiscal Management PROCUREMENT WITH FEDERAL GRANTS/FUNDS
Policy Manual page 1 PROCUREMENT WITH FEDERAL GRANTS/FUNDS Procurement of all supplies, materials, equipment, and services paid for with federal funds or District matching funds shall be made in accordance
More informationAccounts Receivable and Debt Collection Processes. Internal Controls and Compliance Audit
This document is made available electronically by the Minnesota Legislative Reference Library as part of an ongoing digital archiving project. http://www.leg.state.mn.us/lrl/lrl.asp O L A OFFICE OF THE
More informationHow Studying SEC Enforcement Trends Can Help Hedge Fund Managers Prepare for SEC Examinations and Investigations
EXAMINATIONS How Studying SEC Enforcement Trends Can Help Hedge Fund Managers Prepare for SEC Examinations and Investigations By Michael Washburn In a recent interview with The Hedge Fund Law Report, Patricia
More informationGUIDELINES ON AGENT BANKING FOR BANKS AND FINANCIAL INSTITUTIONS,
GUIDELINES ON AGENT BANKING FOR BANKS AND FINANCIAL INSTITUTIONS, 2017 BANK OF TANZANIA ARRANGEMENT OF GUIDELINES 1. Part I: Preliminary 2. Part II: Objectives 3. Part III: Approval Process and Permissible
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationREF STANDARD PROVISIONS
This Data Protection Addendum ( Addendum ) is an add- on to the Purchasing Terms and Conditions. It is applicable only in those situations where the Selected Firm/Vendor provides goods or services under
More informationAdvisory Standards I. GOVERNMENT REGULATIONS & GOVERNING DOCUMENTS
Advisory Standards I. GOVERNMENT REGULATIONS & GOVERNING DOCUMENTS The AGRiP Advisory Standards covering Government Regulations and Governing Documents address the legal requirements placed on pool formation
More informationCollection of Checks and Other Items by Federal Reserve Banks and Funds Transfers Through Fedwire
This document is scheduled to be published in the Federal Register on 11/30/2018 and available online at https://federalregister.gov/d/2018-25267, and on govinfo.gov FEDERAL RESERVE SYSTEM 12 CFR Part
More informationELECTRONIC RECORDING VENDOR MEMORANDUM OF UNDERSTANDING
ELECTRONIC RECORDING VENDOR MEMORANDUM OF UNDERSTANDING THIS VENDOR MEMORANDUM OF UNDERSTANDING (hereinafter referred to as MOU) dated, is between the office of the Register of Deeds of Wake County, North
More informationT A B L E of C O N T E N T S
INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015
More informationThe General Data Protection Regulation s Impact on M&A
The General Data Protection Regulation s Impact on M&A PRACTICAL ADVICE ON HOW TO CONTINUE A SMOOTH M&A PROCESS Presented by Avi Gesser, Davis Polk partner, Litigation/Cybersecurity Pritesh P. Shah, Davis
More information