Tag: Cybersecurity
NIST Unveils Cybersecurity Framework 2.0
On February 26, 2024, the National Institute of Standards and Technology (NIST) released the long-awaited second version of the Cybersecurity Framework (CSF). Dubbed “CSF 2.0,” it contains a few significant changes: As we noted in a July 2023 blog post, NIST was required by the White House’s National Cybersecurity Strategy […]
New York Department of Financial Services Amends Its Cybersecurity Regulations
On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized its proposed cybersecurity rules, which build upon existing NYDFS cybersecurity requirements in the Part 500 Cybersecurity Rules. New class of covered entities The updated rules finalize a new class of financial services companies subject to NYDFS’ regulations […]
Key Considerations for Form 8-K Cybersecurity Materiality Determinations
With 8-K reporting obligations for “material” cybersecurity incidents under the new Securities and Exchange Commission (SEC) rules becoming effective as of December 18, 2023, most companies will soon be tasked with making “real-time” materiality determinations following a cybersecurity incident. While the SEC has emphasized that the new Item 1.05 reporting […]
United Kingdom: Injunctive Relief Against Persons Unknown – The Ransomware Edition
On 11 July 2023, the English High Court handed down its decision on the claimant’s application in Armstrong Watson LLP v. Persons Unknown, granting judgment in default and final injunctive relief. Specifically, the court granted the claimant permanent injunctive relief against persons unknown – a group of unidentified hackers – […]
SEC Adopts Comprehensive Cybersecurity Disclosure Requirements
On July 26, 2023, the Securities and Exchange Commission (SEC) voted at an open meeting to adopt final rules to mandate standardized cybersecurity disclosures by public companies. The final rules will: The final rules will become effective 30 days after publication in the Federal Register. Companies other than smaller reporting companies […]
White House Releases National Cybersecurity Strategy Implementation Plan
On July 13, 2023, the White House unveiled its National Cybersecurity Strategy Implementation Plan (NCSIP or implementation plan), following the release of the National Cybersecurity Strategy. The implementation plan identifies five pillars that align with the strategy: The administration identified two key motivations for the strategy and implementation plan: The […]
One Step Closer to a European Law Regulating Artificial Intelligence
On 14 June 2023, the European Parliament adopted its negotiating position on the Artificial Intelligence (AI) Act. The European Parliament’s vote on the AI Act proposal marks a significant milestone toward the regulation of AI within the European Union, as it sets the baseline for inter-institutional negotiations, as further discussed […]
Companies Respond to SEC’s Proposed Cybersecurity Disclosure Framework
As we reported in our March 2022 client alert, the Securities and Exchange Commission released proposed cybersecurity reporting rules and solicited feedback through a 60-day comment period. The comment period ended on May 9, 2022, and the SEC received 100+ comments from business, legal, nonprofit and government sectors. While the […]
36-Hour Breach Notification Rule to Go into Effect for Banking Organizations
On November 18, 2021, three US agencies – the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC) – issued a joint rule concerning computer-security incident notifications, which will go into effect on April 1, 2022, with a full […]
Cybersecurity: SEC Enforcement, Disclosure Controls and Risk Factor Disclosure
With the new leadership at the Securities and Exchange Commission, industry commentators expect the Division of Enforcement to be more aggressive in several arenas, including public company disclosure of cybersecurity incidents. While this has been a stated focus of the SEC for more than 10 years, enforcement cases relating to […]