Close X
Attorney Spotlight

How did an interest in healthcare policy lead Robert Platt to a career in the law? Find out more>


Close X


Search our Experience

Experience Spotlight

Envision to Sell to KKR for $9.9 Billion

We represented Envision Healthcare Corporation (NYSE: EVHC) in its definitive agreement to sell to KKR in an all-cash transaction for $9.9 billion, including debt. KKR will pay $46 per Envision share in cash to buy the company, marking a 32 percent premium to the company's volume-weighted average share price from November 1, when Envision announced it was considering its options. The transaction is expected to close the fourth quarter of 2018. Read more

Envision Healthcare

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Six Things to Know Before Buying a Physician Practice spotlight

Dermatology, ophthalmology, radiology, urology…the list goes on. Yet, in any physician practice management transaction, there are six key considerations that apply and, if not carefully managed, can derail a transaction. Download the 6 Things to Know Before Buying a Physician Practice to keep your physician practice management transactions on track.

Click here to download the guide.

New York and Feds Leading the Charge on Financial Institution Cybersecurity Regulations

Firm Publication


November 18, 2016

Both federal and state officials recently proposed new regulations aimed at the financial sector in an effort to promote protection against high-impact technology failures and cyberattacks.

FDIC, Federal Reserve System, and Office of the Comptroller of the Currency

On October 19, 2016, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System (the Fed) and the Office of the Comptroller of the Currency (OCC) collectively issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks and bank holding companies with assets totaling more than $50 billion. The proposed rules would also extend to nonbank financial companies and financial market utilities supervised by the Federal Reserve Board of Governors, and third parties that provide services to covered entities. Public comments to the proposed rulemaking must be received by January 17, 2017.

The proposed federal regulations would mandate that subject entities institutionalize certain cyber risk management standards in these areas:

  1. cyber risk governance;
  2. cyber risk management;
  3. internal dependency management;
  4. external dependency management; and
  5. incident response, cyber resilience and situation awareness.

The standards would be tiered, with more stringent standards for systems that provide key functionality to the financial sector.

The goal of the proposal is "increasing [financial institutions'] operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities," according to FDIC Chairman Martin Gruenberg.

Specifically, the agencies are considering requiring that covered entities develop board-approved cyber risk management strategies, with senior management held accountable for establishing and implementing policies consistent with the strategies. The agencies also have proposed requiring covered entities to regularly analyze and address the cyber risks of relationships with third-party service providers, and periodically test alternative solutions if the third party fails to perform as expected. Additionally, as part of an effort to minimize business disruption, the agencies are considering regulations requiring protocols for secure, immutable, off-line storage of critical records, and specific testing to address potential threats.

While the three agencies involved already examine entities' information security practices during regular supervisory reviews, the new standards are intended to strengthen cybersecurity practices and therefore reduce the potential harm on the U.S. financial system from a cyberattack or major IT failure.

New York's Department of Financial Services Proposed Regulations

The New York Department of Financial Services (DFS) has issued a proposed set of regulations requiring that all entities licensed or registered under New York banking, insurance or financial services laws, including state-licensed banks, insurance companies, private bankers, licensed lenders, mortgage companies and state-licensed offices of non-U.S. banks, assess their cyberattack risk profiles, and implement mandatory cybersecurity policies and programs. Certain smaller institutions would be exempted. If adopted, the regulations are expected to be incorporated into final regulations taking effect January 1, 2017. Firms covered by the regulation would have 180 days to comply.

Under the proposed DFS regulations, covered institutions must comply with a number of comprehensive requirements, including:

  • Appointing a chief information security officer (which may be met using third-party service providers under certain conditions);
  • Implementing a written cybersecurity policy that addresses, at a minimum, enumerated areas, including data governance and classification, access controls and identity management, business continuity and disaster recovery, systems and network security and monitoring, customer data privacy, vendor and third-party service provider management, and incident response;
  • Penetration testing information systems at least annually, and conducting vulnerability assessment at least quarterly;
  • Conducting annual risk assessments;
  • Implementing written policies designed to ensure security of third-party access to information systems and nonpublic information;
  • Limiting data retention;
  • Encrypting all nonpublic information held or transmitted by the covered institution;
  • Establishing a written incident response plan;
  • Annually certifying compliance to DFS (beginning in January 2018);
  • Notifying DFS within 72 hours of learning of any cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of the covered institution's business, or that affects nonpublic information (including any attempt – whether successful or unsuccessful – to gain unauthorized access to, disrupt or misuse the covered institution's information systems or information stored on such systems).

Many requirements under the proposed federal and New York regulations reflect best practices and are consistent with existing guidance. Covered institutions should evaluate the impact these regulations may have on their existing cybersecurity governance and management practices, and consider taking steps to bring their policies and practices into alignment with the proposed regulations. However, because neither of these proposed set of regulations have been adopted to date, the final contours of each are unknown. We will continue to monitor the status of these proposals and their potential impact on affected companies.

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.