Close X
Attorney Spotlight

What is Shannon Wiley looking forward to at this year's Asembia Specialty Pharmacy Summit? Find out more>


Close X


Search our Experience

Experience Spotlight

Primary Care Providers Win Challenge of CMS Interpretation of Enhanced Payment Law

With the help and support of the Tennessee Medical Association, 21 Tennessee physicians of underserved communities joined together and retained Bass, Berry & Sims to file suit against the Centers for Medicare & Medicaid Services to stop improper collection efforts. Our team, led by David King, was successful in halting efforts to recoup TennCare payments that were used legitimately to expand services in communities that needed them. Read more

Tennessee Medical Association & Bass, Berry & Sims

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Download the Healthcare Fraud & Abuse Review 2017, authored by Bass, Berry & Sims

The Healthcare Fraud & Abuse Review 2017 details all healthcare-related False Claims Act settlements from last year, organized by particular sectors of the healthcare industry. In addition to reviewing all healthcare fraud-related settlements, the Review includes updates on enforcement-related litigation involving the Stark Law and Anti-Kickback Statute, and looks at the continued implications from the government's focus on enforcement efforts involving individual actors in connection with civil and criminal healthcare fraud investigations.

Click here to download the Review.

New York and Feds Leading the Charge on Financial Institution Cybersecurity Regulations

Firm Publication


November 18, 2016

Both federal and state officials recently proposed new regulations aimed at the financial sector in an effort to promote protection against high-impact technology failures and cyberattacks.

FDIC, Federal Reserve System, and Office of the Comptroller of the Currency

On October 19, 2016, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System (the Fed) and the Office of the Comptroller of the Currency (OCC) collectively issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks and bank holding companies with assets totaling more than $50 billion. The proposed rules would also extend to nonbank financial companies and financial market utilities supervised by the Federal Reserve Board of Governors, and third parties that provide services to covered entities. Public comments to the proposed rulemaking must be received by January 17, 2017.

The proposed federal regulations would mandate that subject entities institutionalize certain cyber risk management standards in these areas:

  1. cyber risk governance;
  2. cyber risk management;
  3. internal dependency management;
  4. external dependency management; and
  5. incident response, cyber resilience and situation awareness.

The standards would be tiered, with more stringent standards for systems that provide key functionality to the financial sector.

The goal of the proposal is "increasing [financial institutions'] operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities," according to FDIC Chairman Martin Gruenberg.

Specifically, the agencies are considering requiring that covered entities develop board-approved cyber risk management strategies, with senior management held accountable for establishing and implementing policies consistent with the strategies. The agencies also have proposed requiring covered entities to regularly analyze and address the cyber risks of relationships with third-party service providers, and periodically test alternative solutions if the third party fails to perform as expected. Additionally, as part of an effort to minimize business disruption, the agencies are considering regulations requiring protocols for secure, immutable, off-line storage of critical records, and specific testing to address potential threats.

While the three agencies involved already examine entities' information security practices during regular supervisory reviews, the new standards are intended to strengthen cybersecurity practices and therefore reduce the potential harm on the U.S. financial system from a cyberattack or major IT failure.

New York's Department of Financial Services Proposed Regulations

The New York Department of Financial Services (DFS) has issued a proposed set of regulations requiring that all entities licensed or registered under New York banking, insurance or financial services laws, including state-licensed banks, insurance companies, private bankers, licensed lenders, mortgage companies and state-licensed offices of non-U.S. banks, assess their cyberattack risk profiles, and implement mandatory cybersecurity policies and programs. Certain smaller institutions would be exempted. If adopted, the regulations are expected to be incorporated into final regulations taking effect January 1, 2017. Firms covered by the regulation would have 180 days to comply.

Under the proposed DFS regulations, covered institutions must comply with a number of comprehensive requirements, including:

  • Appointing a chief information security officer (which may be met using third-party service providers under certain conditions);
  • Implementing a written cybersecurity policy that addresses, at a minimum, enumerated areas, including data governance and classification, access controls and identity management, business continuity and disaster recovery, systems and network security and monitoring, customer data privacy, vendor and third-party service provider management, and incident response;
  • Penetration testing information systems at least annually, and conducting vulnerability assessment at least quarterly;
  • Conducting annual risk assessments;
  • Implementing written policies designed to ensure security of third-party access to information systems and nonpublic information;
  • Limiting data retention;
  • Encrypting all nonpublic information held or transmitted by the covered institution;
  • Establishing a written incident response plan;
  • Annually certifying compliance to DFS (beginning in January 2018);
  • Notifying DFS within 72 hours of learning of any cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of the covered institution's business, or that affects nonpublic information (including any attempt – whether successful or unsuccessful – to gain unauthorized access to, disrupt or misuse the covered institution's information systems or information stored on such systems).

Many requirements under the proposed federal and New York regulations reflect best practices and are consistent with existing guidance. Covered institutions should evaluate the impact these regulations may have on their existing cybersecurity governance and management practices, and consider taking steps to bring their policies and practices into alignment with the proposed regulations. However, because neither of these proposed set of regulations have been adopted to date, the final contours of each are unknown. We will continue to monitor the status of these proposals and their potential impact on affected companies.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.