Notwithstanding the venerable status of the attorney-client privilege and the important purposes it serves, the federal banking regulators and the Consumer Financial Protection Bureau have taken the position that they have the legal authority to override the privilege and compel supervised institutions to produce information protected by the privilege.  Seven
Continue Reading Banking Regulators’ Examination Authority Does Not Override Attorney-Client Privilege

Financial services regulatory reform in 2018 is complex and evolving. To assist in navigating this landscape, we have prepared a reference tool that provides context and summarizes current developments across a range of key regulatory areas, agencies and actors.  We will continue to track these issues and provide updated versions
Continue Reading Davis Polk Financial Services Regulatory Reform Tool–March 2018

On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification.  Davis Polk has published a blog post on this increase in cyber regulation enforcement and the effect on breach notification deadlines.  The full blog post is available at
Continue Reading Cybersecurity Blog Post: More Tough Penalties for Late Breach Notification

On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Davis Polk has published a blog post on this escalation in breach notification enforcement and what it
Continue Reading Cybersecurity Blog Post: $1M Breach Notification Fine for Indian Bank Shows Increased Enforcement of Information Sharing

During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel.  Davis Polk has published a blog post on the reporting structure for CISOs and factors companies should
Continue Reading Cybersecurity Blog Post: After Equifax, to Whom Should the CISO Report?

The Federal Reserve’s proposed supervisory guidance on corporate governance is a breath of fresh air that should encourage banking boards to focus on their core responsibilities and avoid blurring the distinctions between executive and non-executive duties.  It is also a signal that supervisors intend to move away from the blunt
Continue Reading The Federal Reserve Breathes Fresh Air into Its Corporate Governance Guidance

With about a month to go until the first set of NYDFS’s cybersecurity rules go into effect (on August 28, 2017), we are proud to announce the formal launch of the Davis Polk Cyber Breach Center.  The blog will help you keep pace with industry best practices and be
Continue Reading Announcing our Cybersecurity Blog; One Month Until the NYDFS Cybersecurity Rules Take Effect

In a Risk Perspective released on July 7, 2017, the Office of the Comptroller of the Currency (“OCC”) emphasized the need for institutions to be cyber resilient – i.e., be able to respond to cyber attacks by managing various risks.  Acting Comptroller Keith Noreika noted in a speech on the
Continue Reading Beyond Prevention: Regulators Focus on Cyber Resilience, Highlighting Importance of Risk Assessment

Three recent cybersecurity events highlight the need for companies to review their access controls to limit who has administrator privileges and how long those elevated privileges last.

First, this week, computer malware that has variously been called PetyaWrap, WannaCry2, GoldenEye and NotPetya began spreading in dozens of countries, encrypting computers
Continue Reading The PetyaWrap Attack, Anthem Data Breach Settlement, and NYDFS Cyber Regulations All Highlight that Companies Should Review Their Access Controls

On June 26, 2017, the full D.C. Circuit Court of Appeals split down the middle over whether the Securities and Exchange Commission’s (the “SEC’s”) appointment of Administrative Law Judges (“ALJs”) is consistent with the Constitution.  As detailed in a prior alert, panels of the Tenth and D.C. Circuit Courts
Continue Reading After Full D.C. Circuit Deadlocks, Circuit Court Split over Constitutionality of SEC Administrative Law Judges Likely Bound for Supreme Court