New Cyber-resilience Oversight Expectations may carry compliance challenges

by Dentons
Contact

Dentons

Getting cyber-resilience right matters. In July 2018, we published our analysis1 on the European Central Bank’s (ECB) first foray into setting its expectations on cyber-resilience. In September, it finalized the TIBER-EU Framework on ethical red teaming by setting out standards that firms ought to meet in selecting eligible providers of recognized TIBER tests.2 All of this marked a “crossing of the Rubicon” for the ECB, acting in its central banking and financial stability role as opposed to its financial regulatory and supervisory role at the head of the Banking Union’s Single Supervisory Mechanism (SSM) – which itself continues to put cyber-resilience as a key supervisory priority for 2019 and beyond. The ECB continued work on cyber-resilience on December 3, 2018 by publishing its Cyber-Resilience Oversight Expectations (the CROE) for financial market infrastructures (FMI).3

CROE in 2018 replaces the 2016 version, and it does so with quite some effect. It sets very comprehensive and prescriptive expectations that, in its 62 pages, translate into in-scope entities needing to consider on-going risk assessments, introducing more detailed compliance and governance processes than perhaps may have been commonplace as well as putting cyber-resilience at the heart of various operations including when recruiting staff. It also comes at a time when international banking sector standard setters, including the Bank for International Settlements’ BCBS have published their own updates on cyber-resilience, including the December 2018 “Report on Cyber-resilience: Range of practices” evaluating the state of play in various key jurisdictions.4The ECB regularly points to and applies practices from international standard setters, including the BCBS, even where these are not measures with legal effect. The measures should also be read in conjunction with national measures that may have legal effect, such as in Germany for example, the extensions of the Federal Financial Supervision Authority (BaFin’s) own cyber-resilience regime (BAIT), which was amended in September 2018 to cover critical infrastructure.

This Client Alert assesses CROE’s requirements and the ECB’s expectations of FMIs as well as Banking Union Supervised Institutions (BUSIs) that face FMIs who may need to document cyber-resilience compliance in considerably more depth or to whom the ECB, in its SSM role, may address similar expectatoins. The CROE will be of relevance and of interest to both existing FMIs and those new FMIs looking to enter the Eurozone as well as the range of BUSIs and other non-SSM supervised EU and non-EU credit institutions, other regulated market participants and non-financial corporates. The CROE also sets out what the ECB looks for in the job role and performance of a Senior Executive or the Chief Information Security Officer (CISO)—which may be of wider-reaching interest.

The aims of CROE and its key contents

The ECB intends that CROE will be applied by the Eurosystem (i.e. Eurozone central banks) to the oversight of all payment systems (designated in turn as any systemically important payment systems (SIPS), prominently important retail payment systems (PIRPS) and other retail payment systems (ORPS)) and the TARGET2-Securities system (T2S). CROE in 2018 is also clear that national central banks, operating under national law competencies, often in conjunction with other national competent authorities may opt-in to use the CROE for any “other” FMIs—primarily this is aimed at clearing and settlement systems (including central securities depositors (CSDs) and central counterparties (CCPs). We anticipate that CROE will become, as has been the case in other ECB rulemaking exercised by way of non-binding guidance, more widely adopted by core Eurozone member states, in particular those with significant FMIs operating within their jurisdiction.

The CROE, whilst building on international guidelines, such as those established by the Committee on Payments and Market Infrastructures (CPMI) or the International Organization of Securities Commissions (IOSCO) and in particular their joint 2016 published “Guidance on cyber-resilience for financial market infrastructures” (the Guidance), goes beyond those principles while at the same time setting concrete steps on how to operationalize the Guidance. The 2018 version of CROE however, like its predecessor, aims to provide:

  1. In-scope FMIs with detailed steps5on how to operationalize the Guidance and improve sustained cyber-resilience over a period of time
  2. Overseers with clear expectations on how to assess and monitor FMI’s compliance with the Guidelines
  3. The basis for common understanding and discussion amongst in-scope FMIs and relevant overseer,

but also seeks to incorporate and hold addressees to account to other standards it considers best practice that relevant firms use to meet their “capabilities” i.e., the “people, processes and technologies the FMI uses to identify, mitigate and manage its cyber risks and to support its objectives.”

CROE also communicates detail on what is expected to be included in the role of a “Senior Executive” tasked with the responsibility of “owning” cyber-resilience as well as the role of a CISO (the two roles may be combined). This is welcome and also is in keeping with the BCBS’ December 2018 report on practices and a general reshaping of the role of a CISO within firms and contribution to risk controls. Those officers, coupled with the relevant policies that aim to operationalize the requirements and expectations set in the frameworks adopted by the ECB’s international peers, conceptually aim to foster a cyber-risk awareness culture, an area that the BCBS considers crucial for relevant firms to embed throughout their operations.

The Annex to CROE sets out a welcomingly practical and detailed Glossary of terms. These may be useful for FMIs but also other market participants wanting to tackle cyber-resilience. This is the case even if this ECB Glossary does expand existing defined terms or even when and where it diverges from terms agreed at the international level such as by the BCBS or FSB.6 As an example, CROE widens existing EU legal definitions and recasts “Cyber incident” as:

“A cyber event that:

  1. jeopardizes the cybersecurity of an information system or the information the system processes, stores or transmits; or
  2. violates the security polices, security procedures or acceptable use policies,

whether resulting from malicious activity or not.”

A “cyber event” is defined in CROE and very much building on EU definitions as: “Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring.”

The BCBS report, unlike CROE, sets out a taxonomy of cyber risk controls contained in its own Annex A. This sets a control objective, a control description, example control and practices and example testing approaches in relation to a number of areas. Annex B of the BCBS report sets out board IT metrics which are applicable to cyber-resilience and which set out what forward-looking indicators and metrics might be useful as items to present to the Board (or equivalent governance function) of a firm. BCBS Annex C sets out cyber-resilience metrics in terms of events and practices before a compromising event – i.e., a cyber-incident, at the point of compromise and after compromise. Many in-scope firms may find it useful to borrow from this BCBS Annexes A, B and C when designing compliance monitoring frameworks to meet CROE’s expectations.

How to comply with CROE – meet or explain

CROE establishes three levels of expectation (also referred to as “maturity levels”) of how to comply with CROE’s criteria or explain why they do not meet the criteria. Firms are expected and T2S as well as SIPS are required to meet and maintain at least “Advancing” maturity prior to migrating to “Innovating”:

  • Evolving: Essential capabilities are established, evolve and are sustained across the FMI to identify, mitigate and manage cyber-risks in alignment with the cyber-resilience strategy and framework approved by the Board. Performance of practice and capabilities are monitored and managed;
  • Advancing: In addition to meeting the “evolving” level’s requirements, practices at this level involve implementing “more advanced tools” (e.g. advanced technology and risk management tools) that are integrated across the FMI’s business lines and have been improved over time to manage cyber risks posed to the FMI proactively. There is no qualitative standard in the CROE as to what constitute an “advanced” tool.
  • Innovating: In addition to meeting the “evolving” and “advancing” levels, FMIs’ capabilities across the business are “…enhanced as needed in order to strengthen cyber-resilience.” Again, in the absence of some qualitative examples, this leaves much to interpretation. This may also risk a divergence between those taking the meet and explain approach of CROE quite seriously and those that merely window-dress. That in turn may mean that those embedded more fully will want to ensure they have material readily available to show to the oversight functions how they are meeting various (vaguely drafted) expectations in a concrete manner. This is especially the case as in order to meet the innovating level relevant in-scope FMIs are expected to demonstrate that they are “…driving innovation in people, processes and technology for the FMI and the wider ecosystem to manage cyber risk and enhance cyber-resilience. This may call for new controls and tools to be developed or new information-sharing groups to be created.”

While the CROE does recognize that all addressees are different and thus that the means of how their capabilities meet the relevant levels will differ, the CROE is drafted in a technological, operational and jurisdictional agnostic manner. CROE is also built around the following risk management pillars as a component of an overall cyber-resilience framework that firms will need to meet or explain why they do not/cannot meet the relevant criteria:

  1. governance
  2. identification
  3. protection
  4. detection
  5. response and recovery

These principles in each of the thematic areas are translated into Sections of CROE that detail the overarching expectation and the qualitative features that must be fulfilled by an addressee to meet each of the levels from evolving to innovating. The common threads are summarized in the following sections below.

As a general observation, while some of what is set out in CROE may be familiar to a number of CROE addresses, especially larger FMIs, the depth of what is documented and how may be different as the ECB’s expectations—regardless of whether at “evolving” or “innovating”—may go beyond what is currently in place in those organizations. This not only extends to policies and procedures but also how decisions to act or refrain from acting in a particular context are justified along with issues on data integrity.

Governance

Section 2.1 Governance begins with expectations on establishing a cyber-resilience strategy and framework. Conceptually some of this follows a similar approach to how the ECB-SSM communicated its supervisory expectations in transforming governance and culture in relation to non-performing loans and exposures.7 The setting-up of a cross-disciplinary steering committee of senior management and appropriate staff—including (external) contractors—from multiple business units to develop a holistic framework based on threats to the firm as well as its risk tolerance for individual as well as enterprise-wide impacts is at the heart of that process and the core of building a framework. Stemming from the risk self-assessment exercise, CROE expects that organizations develop and then set their cyber-resilience strategy. This should also be aligned to its corporate strategy and its “threat landscape”.

Moving on from frameworks and strategy documents, Section 2.1 of CROE looks at the role and involvement of the FMI’s “Board” (and one presumes this extends to other forums exercising similar governance and strategic steering functions), their skills and accountability of senior management and ultimately the wider risk culture of the FMI. The Board is expected to take an active role in approving the cyber-resilience strategy and framework, setting the FMI’s risk tolerance and implementation of the framework in terms of policies, procedures and controls that support the framework. As with other EU but more recently ECB-SSM rules and/or expectations (that read like rules) that relate to the Board and senior management, there is a need to demonstrate both individual and collective responsibility and ability. While there is an appreciation that a “senior executive” e.g. the CISO may have primary responsibility and accountability, demonstrating compliance with this supervisory outcome means having collective capabilities and taking of ownership.

In terms of culture, the supervisory expectation and outcome is that in-scope FMIs apply and embed a top-down as well as bottom up approach. Again, as with the documentation aspects in Section 2.1, the distinguishing features between each of the levels are largely the deepening degree of granularity that would be expected in both the analysis of what effects a firm and the capabilities in place to maintain cyber-resilience. For FMIs that are “innovating,” appointing a “cyber-expert” to the Board is one of the qualitative features. Other qualitative measures include introducing cyber-resilience and risk threat updates as a standing Board meeting agenda. In order to meet the “innovating” level, senior management is expected to cooperate proactively with other stakeholders across the ecosystem to promote a cyber-resilience culture more generally.

Identification

Section 2.2 addresses “identification” and specifically that FMIs should identify and classify business processes and information assets that should be protected against compromise and the external dependencies. FMIs are expected to identify and document all of its critical operations8 and functions, key roles, processes and information assets that support those functions as well as third-party dependencies and interconnections and update that information periodically. This means having in place not only measures which aim to prevent intrusions from third-party connections and the ability to block those but also the validation of the FMI’s third-party relationship management and outsourcing arrangements by an independent audit function.

This risk inventory and risk assessment should be supported by a network map showing network resources with associated IPs that locate routing and security devices as well as servers supporting critical functions as well as external linkages. Further, FMIs are expected to conduct risk assessments before deploying new and/or updated technologies, products, services and connections to identify potential threats and vulnerabilities. CROE follows the general supervisory trend amongst international peers that relevant organizations, including senior management and their Board (i.e.taking ownership and accountability beyond the IT-staff), understand, map and manage their exposure to cyber-risk. This applies regardless of whether the connection and/or potential to exposure is connected to financial and non-financial entities. CROE also expects that external map to be reflected in understanding risks that are generated in the internal functions and thus different business units and jurisdictions and measuring both qualitative and quantitative impacts and mitigants to control risk generators and exposure threats.

Getting from “evolving” to “innovating” will, according to CROE, rest on automating information feeds and data management so as to strengthen a holistic enterprise-wide risk management. The CROE however is silent on what FMIs will need to do to test the resilience and accuracy of those very data feeds and does not address the concerns of many respondents during the consultation phase that automation may actually embed and hardwire risks from programming or other shortcomings.

Protection

Section 2.3 deals with the effective security controls, systems and processes that protect the confidentiality, integrity and availability of the FMI’s assets. The measures to be implemented may be applied in a proportionate manner and should be reflective of the risk and threat landscape in which the FMIs operate. FMIs are expected to “apply a defence in-depth strategy in line with a risk-based approach.” This is then clarified as meaning an FMI should implement multiple independent security controls so that if one control fails or a vulnerability is exploited, alternative controls will be able to protect the assets and/or processes that are protected and/or targeted.

In order to meet the “advancing” level criteria, the FMI is expected to develop and implement a bespoke information management system (ISMS), which it states “…could be based on a combination of well-recognized international standards (e.g. ISO 270001, ISO 20000-1 and ISO 27103 etc.)”. Moreover, FMIs are expected to include cyber-resilience at the outset of system design, development and acquisition process lifecycle and thus embed “resilience by design”.

The Section also goes on to set out its expectations on network and infrastructure management. As a key principle, FMIs are expected to establish secure boundaries that protect network infrastructure. This includes using a router, firewall, intrusion prevention system or intrusion detection systems, virtual private networks and appropriate use of proxies as well as device connectivity. The boundaries should be split between trusted and untrusted zones, and the relevant risk profiles and criticality of information assets contained in each zone. Change and patch management processes are expected to be included in detailed policies and procedures as well as active involvement of the cyber-security team.

Logical and physical access are also addressed in this Section including in role-based access controls that allocates system access rights and privileges to specific roles. FMIs are required to review such rights periodically and take appropriate action. Interactions with suppliers and third-party security management is also touched upon in CROE. This includes due diligence on the relevant party’s own systems and controls, and FMIs will need to factor that into the relevant onboarding process and risk review.

Embedding cyber-resilience into the employment recruitment and employee on-boarding process is also highlighted in the CROE as a priority area. Specifically this Section calls for screening for cyber-related incidents of prospective applicants or contractors along with regular cyber-risk and resilience training. Moving to “innovating” in the criteria set out in this Section calls for greater use of automated solutions in terms of processes in various lifecycle steps as well as individual steps and programs communicating with one another. CROE is equally silent here in terms

Detection

Section 2.4 discusses the expectations that FMIs will need to meet to show they have early detection capabilities to detect a potential or actual breach having taken place. Much of this Section echoes and builds upon what is set out in Section 2.1 – Identification. FMIs should have detailed incident response processes in place. Those FMIs that are “advancing” will have developed and implemented a security, information and event management system, which correlates all the network and system alerts and other unusual activity in order to detect multi-faceted attacks. This Section also sets out that FMIs should, even at “evolving” stage, establish procedures for collecting digital evidence in a “forensically acceptable manner” and maintain a “forensic readiness policy” to support forensic investigations. This may require some very technical drafting to meet both regulatory and IT-specifications.

Response and recovery

Section 2.5 deals with how FMIs should set their Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). Both of these are key in setting what point should systems be restored to in order to recommence business following a cyber-incident/attack and how quickly one can recover to that point in time. Much of what is in this Section also echoes and reiterates what is set out in the TIBER-EU Framework in terms of having computer security incident response teams. As iterated in our coverage on TIBER-EU, FMIs will have an interest in having a detailed Cyber-Response and Recovery Plan as well as escalation lists on file and in the field with the relevant colleagues.

Testing

The trend of building on the TIBER-EU Framework continues in Section 2.6 – Testing. This Section expects FMIs to have detailed and periodic vulnerability and penetration testing including using communicated scenario-based testing and a covert “red teaming” test. Moreover, FMIs are expected to develop, monitor and analyze detailed metrics of testing efficacy and regularly conduct tests in collaboration with its peers, participants and third-parties in addition to industry-wide exercises to test cooperation and coordination along with communication plans.

Situational awareness and learning and evolving sections

This part of the CROE sets out what FMIs can do to monitor cyber threats both in terms of intelligence i.e., tactics, techniques and procedures of attacks along with targets as well as going a step further than the TIBER-EU Framework for those FMIs that would like to migrate to “advancing” in maintaining a cyber-risk threat dashboard. The dashboard aims to capture all threats as well as those that could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred previously.

Situational awareness also requires information sharing, and CROE considers good compliance amongst FMIs when they establish trusted and safe channels of communication with direct stakeholders for exchanging information. The Learning and Evolving Section ties everything together with FMIs expected to place emphasis on cyber-resilience awareness to deliver on the policies an FMI has in place, as well as the CROE expectations along with how to spot and report suspicious activity.

Outlook and next steps

CROE is another part of the emerging strategy of how the ECB, in its central banking and financial stability role, expands its expectations of FMIs but also those firms facing FMIs. The latter may also have additional Banking Union supervisory requirements. CROE’s focus means that FMIs and firms may need to revisit and/or expand on details in documented policies and procedures as well as how they evidence that cyber-resilience is embedded in a firm’s culture as well as people and processes.

Complying with CROE may also mean that a number of firms that are caught may need to ensure that they have a clear and traceable trail of justifications (including a certain degree of independent documented challenge is desirable) as to why certain arrangements have been implemented to meet CROE’s expectations or why they are proportionate. Some firms may find that notably in terms of compliance monitoring much of what CROE sets in expectations could be complemented nicely by measures set out in the BCBS Annexes to help achieve the meet or explain standard.

In terms of next steps addresses, and those, such as BUSIs, which are likely to become addressees of similar measures, may want to consider performing a gap analysis between current documented and operational arrangements and what CROE expects, mapping plans to migrate to the relevant maturity level as well as facilitating linkages with other market participants. As CROE provides prescriptive detail on what various policies ought to achieve in terms of outcomes as well as detailed operative deliverables such as dashboards, affected parties may want to plan and involve stakeholders from early on, in particular as meeting CROE compliance is likely to be only but one of many workstreams.


  1. See our analysis here.
  2. See our analysis here.
  3. See: https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/
    Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf
  4. See: https://www.bis.org/bcbs/publ/d454.pdf
  5. It is important to note that whilst the ECB’s drafting of CROE is framed as non-binding – as with other similar non-binding guidance that forms part of supervisory expectations and on-going supervisory dialogue of the ECB-SSM, the CROE does set definitive expectations that addressees must either “meet or explain”. The use of “should” in CROE, imply a “must” or “are expected to” as opposed to granting a degree of optionality – unless that divergence from the expectation can be justified.
  6. Including the FSB’s proposed Cyber Lexicon – available here: http://www.fsb.org/wp-content/uploads/P020718.pdf
  7. See our dedicated coverage on this from our Eurozone Hub.
  8. The CROE definition of “critical operations” builds upon that in the Guidance and means “Any activity, function, process or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system.”

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.