The U.S. District Court for the Southern District of New York has dealt a significant blow to the cybersecurity enforcement efforts of the U.S. Securities and Exchange Commission (SEC or Commission). In its July 18, 2024,...more
7/25/2024
/ Audits ,
Chief Information Security Officer (CISO) ,
Cybersecurity ,
Internal Controls ,
NIST ,
Public Statements ,
Scienter ,
Securities and Exchange Commission (SEC) ,
Securities Fraud ,
Securities Violations ,
SolarWinds
On June 11, the Federal Communications Commission ("FCC") issued a Report and Order creating the Schools and Libraries Cybersecurity Pilot Program ("Pilot Program") to provide funding for K-12 schools, libraries, and...more
The U.S. Securities and Exchange Commission's (SEC) Division of Corporate Finance (Division) published a statement on May 21, 2024, regarding how public companies may disclose cyber incidents they determined to be immaterial....more
On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to...more
5/28/2024
/ Broker-Dealer ,
Customer Information ,
Cybersecurity ,
Data Breach ,
FACTA ,
Financial Institutions ,
Gramm-Leach-Blilely Act ,
Investment Adviser ,
Investment Companies ,
New Amendments ,
Personal Information ,
Regulation S-P ,
Reporting Requirements ,
Securities and Exchange Commission (SEC)
The U.S. Department of Commerce's ("Commerce") Bureau of Industry and Security ("BIS") has issued a proposed rule (the "Proposed Rule") that would impose significant diligence, reporting, and recordkeeping requirements on...more
2/15/2024
/ Artificial Intelligence ,
Bureau of Industry and Security (BIS) ,
Cloud Service Providers (CSPs) ,
Cybersecurity ,
IaaS ,
Know Your Customers ,
Machine Learning ,
Patent Infringement ,
Penalties ,
Proposed Rules ,
Reporting Requirements ,
Training ,
U.S. Commerce Department
As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Rule")....more
12/15/2023
/ Cyber Incident Reporting ,
Cybersecurity ,
Department of Justice (DOJ) ,
Disclosure Requirements ,
FBI ,
Form 8-K ,
Infrastructure ,
New Guidance ,
Popular ,
Publicly-Traded Companies ,
Remediation ,
Securities and Exchange Commission (SEC)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (UK NCSC), along with partner agencies from 17 nations, have released Guidelines for Secure AI System Development (the...more
12/5/2023
/ Artificial Intelligence ,
Asset Protection ,
Biden Administration ,
Critical Infrastructure Sectors ,
Cyber Threats ,
Cybersecurity ,
Documentation ,
Executive Orders ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Incident Response Plans ,
Infrastructure ,
Machine Learning ,
NCSC ,
NIST ,
Popular ,
Risk Management ,
Supply Chain
The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form ("Form"). The Form, once finalized, will obligate vendors providing software...more
12/1/2023
/ Automation Systems ,
Cybersecurity ,
Department of Justice (DOJ) ,
Executive Orders ,
False Claims Act (FCA) ,
Federal Acquisition Regulations (FAR) ,
General Services Administration (GSA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
NIST ,
Noncompliance ,
OMB ,
Risk Assessment ,
Software Developers ,
Supply Chain
The U.S. Securities and Exchange Commission ("SEC") has charged SolarWinds Corp. (SolarWinds) and the company's chief information security officer ("CISO") with securities fraud and violations of internal controls...more
11/20/2023
/ Anti-Fraud Provisions ,
Chief Information Security Officer (CISO) ,
Cybersecurity ,
Enforcement Actions ,
Governance Standards ,
Investors ,
Misleading Statements ,
Negligence ,
NIST ,
Publicly-Traded Companies ,
Risk Management ,
Sarbanes-Oxley ,
Securities Act of 1933 ,
Securities and Exchange Commission (SEC) ,
Securities Exchange Act of 1934 ,
SolarWinds ,
Vulnerability Assessments
The Federal Trade Commission (FTC or Commission) has amended its Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule," to require non-bank financial institutions to report certain data...more
The Office of the National Cyber Director (ONCD) has extended the deadline to respond to its Request for Information (RFI) seeking public comment on "opportunities for and obstacles to harmonizing" cybersecurity regulations....more
9/14/2023
/ Cybersecurity ,
Deadlines ,
Department of Homeland Security (DHS) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Infrastructure ,
Interagency Guidance ,
NDAA ,
NIST ,
OMB ,
Popular ,
Proposed Regulation ,
Request For Information ,
Risk Mitigation
The Federal Communications Commission (FCC) has published its notice of proposed rulemaking (the NPRM) detailing the proposed creation of a voluntary cybersecurity labeling program for Internet of Things (IoT) or "smart"...more
On July 26, 2023, the Transportation Security Administration (TSA) issued a revised Security Directive governing the cybersecurity practices of owners and operators of critical liquid and natural gas pipelines and liquified...more
The CPPA kicked off a first round of rulemaking in May 2022 and finalized that set of rules in March of this year. At the latest California Privacy Protection Agency (CPPA) meeting, the CPRA Rules Subcommittee (Rules...more
8/18/2023
/ Artificial Intelligence ,
Audits ,
Automated Systems ,
California ,
California Privacy Protection Agency (CPPA) ,
California Privacy Rights Act (CPRA) ,
Criminal Justice Reform ,
Cybersecurity ,
Machine Learning ,
New Regulations ,
Personal Information ,
Popular ,
Privacy Laws ,
Risk Assessment ,
Rulemaking Process
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Final Rule") by a...more
Iowa becomes the fourth U.S. state to provide an affirmative defense for companies that adopt a cybersecurity framework -
Iowa is the fourth state—following Ohio, Connecticut, and Utah—to provide a statutory incentive for...more
7/19/2023
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
New Legislation ,
Popular ,
Regulatory Reform ,
Risk Management ,
Safe Harbors ,
State and Local Government ,
State Data Breach Notification Statutes
According to its Spring 2023 rulemaking agenda, the U.S. Securities and Exchange Commission (SEC) has delayed issuance of two sets of cybersecurity requirements that previously were expected to be finalized in April 2023. The...more
6/28/2023
/ Broker-Dealer ,
Business Development Companies ,
Corporate Governance ,
Corporate Strategy ,
Cyber Incident Reporting ,
Cybersecurity ,
Investment Adviser ,
Proposed Rules ,
Publicly-Traded Companies ,
Registered Investment Advisors ,
Regulatory Agenda ,
Risk Management ,
Rulemaking Process ,
Securities and Exchange Commission (SEC)
Texas amended its data breach notification law to significantly tighten the deadline for notifying the state attorney general (AG) of a data breach affecting 250 or more state residents. Senate Bill 768, which amended Section...more
A reminder to non-bank financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with the Federal Trade Commission's (FTC) revised Standards for Safeguarding Customer Information, commonly...more
5/19/2023
/ Compliance ,
Cybersecurity ,
Deadlines ,
Department of Education ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
FTC Act ,
GLBA Privacy ,
Investment Adviser ,
Multi-Factor Authentication ,
New Rules ,
Popular ,
Risk Assessment ,
Safeguards Rule ,
Third-Party Risk
INCDPA takes business-friendly approach to data privacy, following Virginia, Utah, and Iowa -
Indiana has become the seventh state to enact a "comprehensive" data privacy law, joining California, Virginia, Colorado,...more
With Order No. 893, Commission Continues to Prioritize Regulations to Improve Electric Grid Reliability -
Cyberattacks continue to threaten the reliability of the electric grid. In response to a congressional directive to...more
The Project Management Office (PMO) for the Federal Risk and Authorization Management Program (FedRAMP) has issued an updated version of FedRAMP's 3PAO Obligations and Performance Standards (3PAO Standards), which sets forth...more
March 2023 was a consequential month for data privacy law. The California Office of Administrative Law (OAL) formally approved regulations issued by the California Privacy Protection Agency (CPPA) implementing the California...more
With the unanimous passage of Senate File 262 by the Iowa House and Senate and the Governor's signature Tuesday, the Hawkeye State joins California, Colorado, Connecticut, Virginia, and Utah as one of six states with a...more
3/31/2023
/ Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
New Legislation ,
Personal Information ,
Privacy Laws ,
Regulatory Reform ,
State Data Breach Notification Statutes ,
State Data Privacy Laws
For businesses subject to data breach notification requirements in Utah and Pennsylvania, a series of significant amendments will soon go into effect in both states. ...more