Policy Patty Toolkit 

Making the world a little more compliant one toolkit at a time.


SEC Investigative Report: Public Companies Should Consider Cyber Threats When Implementing Internal Accounting Controls

Posted on October 17, 2018 at 1:20 PM

The SEC issued an investigative report cautioning that public companies should consider cyber threats when implementing internal accounting controls. The report is based on the SEC Enforcement Division's investigations of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process.

The SEC's investigations focused on "business email compromises" (BECs) in which perpetrators posed as company executives or vendors and used emails to dupe company person...

Read Full Post »

SEC Charges Firm With Deficient Cybersecurity Procedures

Posted on September 27, 2018 at 9:15 AM

In the SEC found Voya Financial Advisors in violation of the Identity Theft Red Flags Rule.The firm agreed to pay $1 million to settle charges for having deficient cyber-security policies and procedures concerning a cyber intrusion that compromised the personal information of thousands of customers.

The broker-dealer and investment adviser with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and pr...

Read Full Post »

NY DFS Reminder re Upcoming Cybersecurity Regulation Compliance Date

Posted on August 13, 2018 at 3:05 PM
NY Department of Financial Services Superintendent Maria T. Vullo reminded all Department of Financial Services (DFS) regulated entities covered by DFS's landmark cybersecurity regulation that the third transitional period of New York's first-in-the-nation cybersecurity regulation ends on September 4, 2018. Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by DFS are required to have come into compliance with several additional pr... Read Full Post »

Equifax Enters Consent Order with Eight States

Posted on June 29, 2018 at 8:35 AM

Credit reporting firm Equifax Inc. and the commissioners of eight state banking departments (Alabama, California Georgia, Maine, Massachusetts, New York, North Carolina, and Texas) entered a consent order. The order follows an expansive investigation into the firm’s security practices following a cyber-attack last year that exposed data on more than 143 million people.

Under the consent order, Equifax must take corrective actions that include the following corrective actions:

Read Full Post »

NY DFS to Issue a Final Regulation Requiring Credit Reporting Agencies to Comply with New York's First-in-the-Nation Cybersecurity Regulation

Posted on June 26, 2018 at 8:00 AM

New York's Department of Financial Services ("DFS") has issued a final regulation to protect New Yorkers from the threat of data breaches at credit reporting agencies. DFS, in response to the data breach at Equifax issued New York's first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers and sensitive information from cyberattacks. The Equifax breach exposed the personal private data of millions of New Yorkers. DFS's oversight of credit reporting agencies will...

Read Full Post »

Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million

Posted on April 24, 2018 at 1:40 PM

The SEC announced that the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.

Per the SEC’s order:

• In December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen information on user accounts.


Read Full Post »

Free Guide from IT Governance on 12 cyber security questions to ask your CISO

Posted on January 16, 2018 at 9:05 AM

IT Governance issued a free guide on what CEOs and board of directors need to know about their respective cybersecurity controls. Considering regulatory pressures (most notably the EU General Data Protection Regulation (GDPR), and increasing reliance on technology and big data, organizations have more pressure now than ever to reduce their cyber risks.

Effective cybersecurity controls and more importantly overall program are critical to any organization. To help the board play an esse...

Read Full Post »

Proposed CFIUS Overhaul Focuses on Cybersecurity and High-Tech Sectors

Posted on December 4, 2017 at 10:40 AM

Interesting analysis done by MoFo on recent proposed legislation that would substantially overhaul current law governing the Committee on Foreign Investment in the United States (CFIUS). These proposed changes would dramatically expand CFIUS’ authorities including having CFIUS factor in cybersecurity and information security when authorizing foreign investments in U.S. businesses.

The analysis covers:

• Cybersecurity Concerns

• Expansion of CFIUS Jurisdicti...

Read Full Post »

NASAA issues 2017 exam summary and cybersecurity checklist for Investment Advisers

Posted on November 2, 2017 at 7:55 AM

The North American Securities Administrators Association (“NASAA”) released a couple of very useful resources for investment advisers.

The first is a summary of NASAA’s 2017 results of the 1,203 reported exams of state-registered investment advisors. The exams covered 37 U.S. jurisdictions took place between January and June, with 2017 being the first year that cyber was tracked. The state securities regulators have oversight responsibility for investment advisors with...

Read Full Post »

FTC issues guidance for small businesses on data safeguards

Posted on October 12, 2017 at 7:55 AM

The FTC issued a series of guidance on how small business can protect their data from deletion, hacking, or theft. The information is issued as part of overall efforts to promote awareness during National Cybersecurity Awareness Month. The effort is designed to give access to the resources the FTC has to help you and your employees understand cybersecurity, maintain your business’ computer networks safely, and keep sensitive information protected.

This guidance includes:


Read Full Post »