Data Dive

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

On May 25, 2023, the New York Department of Financial Services (NYDFS) announced that  OneMain Financial Group (OneMain) will pay a $4.25 million fine pursuant to a consent order to settle alleged violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500), which included improperly storing passwords and not sufficiently managing risk from third-party data storage. According to NYDFS, OneMain has also agreed to engage in significant remediation measures as part of the settlement.

New York Law Journal published an article by Akin Gump white collar defense and government investigations partner Ian McGinley discussing United States v. Trovias. The high-profile case is a “first of its kind prosecution [in which] the Southern District of New York (SDNY) brought an insider trading case against Apostolos Trovias for selling inside information on the Dark Web.”

The U.S. Securities and Exchange Commission (SEC) in a 3-1 vote on Wednesday, March 9, 2022, proposed amendments to enhance and standardize disclosures regarding cybersecurity governance and incident reporting by public companies. Such amendments are intended to more effectively inform investors about a company’s risk management, strategy and governance relative to cyber issues and to provide timely notification of material cybersecurity incidents. 

The banking regulators of the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of Currency jointly announced a new rule requiring banking organizations in the United States to notify regulators no later than 36 hours after identifying a cybersecurity breach likely to materially disrupt banking operations. According to the final rule, such an incident could include large-scale distributed denial of service (DDoS) attacks that disrupt customers’ access to their accounts and hacking incidents that shut down a bank’s operations for an extended period. The final rule also places separate notification requirements on companies that provide services to banks, such as data processing companies.

The Federal Trade Commission (FTC) announced significant updates to the Safeguards Rule, using more detailed requirements to strengthen data security protections for consumer financial information.

Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), signaled a new era of cybersecurity law (and accompanying enforcement) in his keynote address “Cybersecurity and Securities Laws” on January 24, 2022, at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Noting the ever-increasing risk of cyberattacks on the securities markets, Gensler identified new and expanded SEC initiatives and proposals to address those risks. The overall message was clear: under his direction, the SEC will seek to bolster data privacy and cybersecurity requirements, and to enhance its reporting and disclosure regime for cyber risks and cyber events.

Akin Gump published a client alert on the Department of Justice (DOJ) announcing twin programs focusing on monitoring contractor cybersecurity, and combating cryptocurrency used for illicit purposes. The announcement is part of the DOJ’s strategic cyber threat review, and follows a series of cyber incidents and subsequent federal efforts to shore up security among government agencies and contractors. To read the full alert, please click here.