cybersecurityAs noted in Part One of this article, issuance of the second "Monaco Memo" by the U.S. Department of Justice in October 2022 sparked debate anew about the self-reporting of misconduct by corporations. Settlements between the Justice Department and several large companies since then have brought greater clarity to the approach taken by Deputy Assistant Attorney General Lisa Monaco to corporate self-disclosure.

While these are notable developments for practitioners who defend corporations, they should be placed in context for counsel that represent entities supervised by the New York State Department of Financial Services (DFS). Numerous self-disclosure obligations already reside in New York statutes, regulations and supervisory agreements, as described more fully in Part One of this article. These requirements continue to be the North Stars guiding disclosure considerations for DFS-regulated entities.

This Part Two discusses a specific disclosure requirement for a critical self-reporting obligation under what is known as "Part 500" (23 N.Y.C.R.R. §500 et seq.), the DFS Cybersecurity Regulation. The article next addresses the consequences of failing to follow DFS self-reporting requirements, as revealed in recent DFS enforcement actions. The article concludes with some general guidance on self-disclosure for DFS practitioners and regulated entities.