October 17, 2018

CCPs as Third Party Service Providers: Breach Notification Issues in Pratt’s Privacy & Cybersecurity Law Report

Share

Leveraged Finance partner Douglas Landy, Alternative Investments Practice partner John Williams, Technology Practice partners Nicholas Smith and Joel Harrison, and Leveraged Finance associate James Kong co-authored an article in the October 2018 edition of Pratt’s Privacy & Cybersecurity Law Report. The article, titled “CCPs as Third Party Service Providers: Breach Notification Issues,” explains breach notification issues when central counterparties are considered third party service providers.

Among the requirements placed on New York chartered- or licensed-financial institutions is that, pursuant to Section 500.17 (“Notices to the Superintendent”), each such entity must notify the Superintendent as promptly as possible but in no event later than 72 hours following a cybersecurity event. This is a difficult standard to meet within a tight timetable under the best of circumstances; however, in many events the cybersecurity incident will occur not in the financial institution but within a third party service provider (a “TPSP”).

Section 500.11 requires each covered entity to have a TPSP security policy. Generally speaking, covered entities include New York chartered banks (such as Goldman Sachs Bank and The Bank of New York), and licensed branches and agencies of foreign banks (such as the New York branches of Deutsche Bank and BNP Paribas) (collectively, “Covered Entities”). As part of this policy, every Covered Entity must have written policies and procedures (based on the risk profile of the entity) that include relevant guidelines for due diligence and/or contractual protections addressing notice to be provided to the entity fol-lowing a cybersecurity event “directly impacting … [the entity’s] Nonpublic information being held by the [TPSP].” This requirement seems to directly link to the requirement of such entity to provide the 72 hour notification.

Read the full article in Pratt's Privacy & Cybersecurity Law Report.