Photo of Micaela McMurrough

Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington's global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Contact:Read more about Micaela McMurroughEmail

On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”).  According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI

Continue Reading NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers

The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  According to an entry on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, released on September

Continue Reading CISA Delays Cyber Incident Reporting Rule for Critical Infrastructure

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), in partnership with the Federal Bureau of Investigation (“FBI”), National Security Agency, Environmental Protection Agency, and cybersecurity authorities in Australia, Canada, Germany, Netherlands, and New Zealand, published new cybersecurity guidance (the “Guidance”) related to operational technology (“OT”), i.e., systems and devices that interact with a physical environment that are commonly used in manufacturing, utilities, oil and gas production, transportation, and other industrial operations.  The Guidance, which will be of interest to any organizations that have an OT environment, is intended to help critical infrastructure entities develop and implement an OT asset inventory and taxonomy to protect their critical assets and improve incident response preparedness.  It comes in advance of upcoming cyber incident reporting requirements for critical infrastructure in the U.S. under the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) and in the EU under the revised Network and Information Systems Directive (“NIS2 Directive”).  The Guidance is the latest in a series of joint releases from CISA, FBI and other U.S. and international partners on various security-related topics largely intended for critical infrastructure, including AI data security, product security bad practices, quantum computing cyber threats, and secure software development.Continue Reading CISA Publishes OT Asset Inventory Guidance for Critical Infrastructure

Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented.  The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024).  Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.Continue Reading Oklahoma Substantially Amends Its Data Breach Notification Statute

On July 23, the White House released its AI Action Plan, outlining the key priorities of the Trump Administration’s AI policy agenda.  In parallel, President Trump signed three AI executive orders directing the Executive Branch to implement the AI Action Plan’s policies on “Preventing Woke AI in

Continue Reading Trump Administration Issues AI Action Plan and Series of AI Executive Orders

On June 23, 2025, the New York State Department of Financial Services (“NY DFS”) issued guidance to NY DFS-regulated individuals and entities regarding the impact of “ongoing global conflicts” to the financial sector. The guidance follows a bulletin from the U.S. Department of Homeland Security about the “heightened threat environment” in the United States, which specifically references cyber attacks. The NY DFS guidance highlights three key areas of focus: cybersecurity, sanctions, and virtual currency, and may be helpful for organizations across industries globally:Continue Reading New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict

On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration.  Specifically, the Order (i) directs that existing federal government regulations and policy be revised to focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things (“IoT”) devices and (ii) more expressly focuses cybersecurity-related sanctions authorities on “foreign” persons.  Although the Order makes certain changes to prior cybersecurity related Executive Orders issued under previous administrations, it generally leaves the framework of those Executive Orders in place.  Further, it does not appear to modify other cybersecurity Executive Orders.[1]  To that end, although the Order highlights some areas where the Trump administration has taken a different approach than prior administrations, it also signals a more general alignment between administrations on core cybersecurity principles.Continue Reading White House Issues New Cybersecurity Executive Order

On May 22, 2025, the Cybersecurity and Infrastructure Security Agency (“CISA”), which sits within the Department of Homeland Security (“DHS”) released guidance for AI system operators regarding managing data security risks.  The associated press release explains that the guidance provides “best practices for system operators to mitigate cyber risks through the artificial intelligence lifecycle, including consideration on securing the data supply chain and protecting data against unauthorized modification by threat actors.”  CISA published the guidance in conjunction with the National Security Agency, the Federal Bureau of Investigation, and cyber agencies from Australia, the United Kingdom, and New Zealand.  This guidance is intended for organizations using AI systems in their operations, including Defense Industrial Bases, National Security Systems owners, federal agencies, and Critical Infrastructure owners and operators. This guidance builds on the Joint Guidance on Deploying AI Systems Security released by CISA and several other U.S. and foreign agencies in April 2024.Continue Reading CISA Releases AI Data Security Guidance

Earlier in April, the U.S. National Institute of Standards and Technology (“NIST”) published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“NIST SP 800-61”).  NIST SP 800-61 Revision 3 (“Revision 3”) is a significant change, as it not only represents the first update of the document since 2012, but also now maps the document’s recommendations and considerations for incident response to the six functions outlined in the recently-updated NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover.  As a result, Revision 3 includes significant new recommendations and guidance for incident response, and entities should consider reviewing and updating their incident response plans and procedures to incorporate these recommendations, particularly if an entity has aligned its cybersecurity program with the NIST Cybersecurity Framework or used the prior versions of NIST SP 800-61 as a basis for existing incident response plans or procedures.Continue Reading NIST Publishes Updated Incident Response Recommendations and Considerations