Publication
US/Ukraine minerals deal: Digging into the detail
The United States and Ukraine governments have announced the signature of an agreement of a minerals deal for Ukraine.
United States | Publication | November 2023
On November 1, 2023, The New York State Department of Financial Services (DFS) published amendments to its cybersecurity regulation 23 NYCRR Part 500 (Part 500). The published amendments mark the first substantive revision to Part 500 since the regulation was originally enacted on March 1, 2017. Financial services companies required to comply with Part 500 include partnerships, corporations, branches, agencies and associations required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking, Insurance or Financial Services Law (covered entities).
As outlined in a DFS press release, the key changes to Part 500 include:
Enhanced governance requirements;
Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;
Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning;
Updated notification requirements, including a requirement to report ransomware payments; and
Updated direction for companies to invest in annual training and cybersecurity awareness programs that anticipate social engineering attacks relevant to their business model and personnel.
A covered entity can be penalized for failing to satisfy the requirements of Part 500, for such reasons as: (1) failing to prevent unauthorized access to nonpublic information due to noncompliance with Part 500; or, (2) failure to comply materially for 24-hours with Part 500, such as by failing to file accurate and timely certifications. When considering the imposition of , DFS will consider a variety of factors, including the good faith of the entity, history of prior violations, the extent of harm and the gravity of the violations.
The new regulation takes effect in phases. Covered entities have until April 29, 2024 to come into compliance with Part 500. Reporting requirements take effect on December 1, 2023.
More detailed information concerning implementation timelines for financial services companies, small business and Class A businesses can be obtained from DFS.
The new rule is more specific as to requirements relating to cyber incidents, which is likely to be an area that many institutions will have to address. Once procedures are updated, employees will have to be trained on those procedures, particularly with respect to the handling of nonpublic information, and specific steps to be taken in the event of a potential incident. Consideration should be given to running teams through refined table-top exercises around crisis events that include notification to DFS and other agencies.
Covered entities should determine if they are a Class A company, and if so, initiate steps to comply with those specific requirements.
Publication
The United States and Ukraine governments have announced the signature of an agreement of a minerals deal for Ukraine.
Publication
This newsletter will keep employers up to date on Canadian employment and labour developments and best practices.
Publication
In this edition we provide a reminder of the main provisions and implications of the Terrorism (Protection of Premises) Act 2025 since its Royal Assent, and discuss the potential for a long-awaited strategic shift for infrastructure projects following the formation of the National Infrastructure and Service Transformation Authority. We also discuss the outcome and significance of an interesting court of appeal case considering boundary agreements and provide an update on recent tax events affecting the real estate sector.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025