Aravind Swaminathan Weighs in on Proposed Cybersecurity Regulations for Financial Institutions

Global Investigations Review | September.23.2016

Aravind Swaminathan, global co-chair of Orrick’s Cybersecurity & Data Privacy team, recently spoke with Global Investigations Review regarding new plans proposed by New York’s Department of Financial Services that will require financial institutions to report cybersecurity breaches within 72 hours. These new regulations, if adopted, will go into effect January 1, 2017.

According to Aravind, “These are sophisticated regulators, and so we expect that they will understand you can’t have all the facts in 72 hours; it’s just not reasonable or frankly possible. I think they’ll be looking for early notification and an early assessment of what has happened. The key is conducting your investigation in that timeframe to get as much of the information as they are going to want to know.”

He also noted, “When you’re trying to prove negligence, it’s hard to do when there is no clear established standard of care to point to. But where there are requirements mandated by a rule or regulation, those requirements operate as a de facto standard; when companies don’t adhere to them, it makes it easy for plaintiffs to bring a case.”

Aravind added that the rules will require companies to have a much clearer understanding of where their data is held, and how to access it in the event of a breach.