The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.

Cybersecurity Regulation Overview

The cybersecurity regulations became

On October 19, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Prudential Regulators”) published an advance notice of proposed rulemaking (ANPR) that would require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks.  Comments to the

Last Monday, October 24, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray spoke on the Bureau’s approach to FinTech at Money 20/20, a conference focused on payments and financial service innovation.  In his remarks, Cordray focused on responding to criticism of the CFPB’s enforcement actions against FinTech start-ups and appeared to warn large financial

Businesses and financial entities continue to grapple with the increasing frequency and sophistication of hacking, displayed by the recent botnet attack that affected numerous websites on October 21, 2016, as well as the recent SWIFT hack which was used to steal $81 million dollars from the Bangladeshi central bank.  On October 11, 2016, G-7

On October 18, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued answers to frequently asked questions (FAQs) to clarify points in FFEIC’s Cybersecurity Assessment Tool (Assessment).  FFIEC released the Assessment in June 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Assessment incorporates cybersecurity principles from the FFIEC Information Technology (IT) Examination Handbook (the IT Handbook) and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the NIST Framework).  While FFIEC’s Assessment is a good tool for banks to evaluate their cybersecurity standards, some banks experienced challenges mapping processes to the NIST Framework and interpreting FFIEC’s IT Handbook.  FFIEC’s FAQs should resolve these common issues, but they also raise other questions.
Continue Reading

On October 6, 2013, the Federal Financial Institutions Examination Council (FFIEC) announced that it will host two webinars with the goal of increasing cybersecurity preparedness by its member financial institutions.  FFIEC’s webinars are in recognition and observance of National Cybersecurity Awareness Month.

FFIEC’s first webinar will cover Mobile Financial Services – Appendix E of

On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here).  In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information

On September 13, 2016, the New York Department of Financial Services (DFS) proposed new first-in-the-nation cybersecurity regulations (Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the regulations are consistent with existing Federal Financial Institutions Examination Council (FFIEC) cybersecurity guidelines and FFEIC’s Information Technology (IT) Examination Handbook

On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81

Somewhere in a lavish Mediterranean villa a drug lord wearing an off-white suit had a heart attack. Elsewhere a tech whiz in Silicon Valley refreshed his browser multiple times as his heart sank further with each reloaded page.  And a banker in New York put a hold on an equity trade and cursed louder than he ever had before.  Like the beginning of a classic joke, the drug lord, the tech whiz and the banker had all been fooled.  Through each of their minds, the question raced:  “Dude, where’s my bitcoin?”


In early August, hackers stole almost 120,000 bitcoins (worth approximately $72 million at the time) from client accounts of a high-profile Bitcoin exchange, Bitfinex, based out of Hong Kong. This caused Bitcoin prices to briefly plummet and followed a similar attack in 2014 on Mt. Gox, which was then the world’s largest Bitcoin exchange (of note, Mt. Gox subsequently went bankrupt).

This latest heist comes on the heels of Bitfinex CFO Giancarlo Devasini’s very forward-thinking proclamation, “With our BitGo wallet solution it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.” With such a bold statement, combined with the impervious view of hindsight, one must carefully ponder the future tenure of the CFO, or the future of Bitfinex, or even that of Bitcoin itself.

The theft is obviously a problem for those customers whose precious cryptocoins were stolen, fans of digital currency generally, operators of Bitcoin exchanges and various Bitcoin “banks” or “wallets.” Bitfinex’s response to the hack is unlikely to resonate with its clients after they indicated that losses would be spread across all customer accounts, amounting to an approximately 36% generalized loss.  Despite attempting to assure their clients that they would be made whole at some point in the future, a potential investor might be prone to pause at this juncture in any bitcoin venture.

Continue Reading