Cybersecurity

Earlier in April, the U.S. National Institute of Standards and Technology (“NIST”) published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“NIST SP 800-61”).  NIST SP 800-61 Revision 3 (“Revision 3”) is a significant change, as it not only represents the first update of the document since 2012, but also now maps the document’s recommendations and considerations for incident response to the six functions outlined in the recently-updated NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover.  As a result, Revision 3 includes significant new recommendations and guidance for incident response, and entities should consider reviewing and updating their incident response plans and procedures to incorporate these recommendations, particularly if an entity has aligned its cybersecurity program with the NIST Cybersecurity Framework or used the prior versions of NIST SP 800-61 as a basis for existing incident response plans or procedures.Continue Reading NIST Publishes Updated Incident Response Recommendations and Considerations

On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacks.Continue Reading European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers

On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach affecting New York residents.  Specifically, businesses now must disclose data breaches affecting New York residents within thirty days from the discovery of a breach.  Additionally, the amendment adds the New York Department of Financial Services (“NYDFS”) to the list of state regulators that must be notified whenever a breach requiring notification to New York residents occurs. Continue Reading New York Adopts Amendment to the State Data Breach Notification Law

In the final quarter of 2024, there have been significant developments in the EU cybersecurity legal landscape. Most prominently, the EU institutions adopted the Cyber Resilience Act and mid-October marked the deadline for Member States to transpose the NIS2 Directive into national law. Most Member States failed to meet the NIS2 transposition deadline, which resulted in the European Commission sending a formal notice to 23 Member States, urging them to transpose the Directive. These 23 Member States have been given two months to respond. (For more information on the Cyber Resilience Act and NIS2 Directive, see our blog posts here and here.)Continue Reading Three Recent Developments in the EU Cyber Landscape

On October 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published guidance on Product Security Bad Practices (the “Guidance”) that identifies “exceptionally risky” product security practices for software manufacturers.  The Guidance states that the ten identified practices—categorized as (1) Product Properties, (2) Security Features, or (3) Organizational Processes and Policies—are “dangerous and significantly elevate[] risk to national security, national economic security, and national public health and safety.”

The Guidance offers recommendations to remediate each of the identified practices and states that adoption of the recommendations indicates software manufacturers “are taking ownership of customer security outcomes.”  Provided below are the ten practices and associated recommendations.Continue Reading CISA and FBI Publish Product Security Bad Practices

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks arising from the use of artificial intelligence (“AI”) and providing strategies to address these risks.  While the Guidance “does not impose any new requirements,” it clarifies how Covered Entities should address AI-related risks as part of NYDFS’s landmark cybersecurity regulation, codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”).  The Cybersecurity Regulation, as revised in November 2023, requires Covered Entities to implement certain detailed cybersecurity controls, including governance and board oversight requirements.  Covered Entities subject to the Cybersecurity Regulation should pay close attention to the new Guidance not only if they are using or planning on using AI, but also if they could be subject to any of the AI-related risks or attacks described below. Continue Reading NYDFS Issues Industry Guidance on Risks Arising from Artificial Intelligence

The UK Government has announced that it intends to introduce the Cyber Security and Resilience Bill (the “Bill”) to Parliament in 2025. Formally proposed as part of the King’s Speech in July, this Bill is intended to strengthen the UK’s cross-sectoral cyber security legislation to better protect the UK’s economy and infrastructure. This Bill will update the existing NIS Regulations, which derive from EU law. Part of the UK Government’s motivation seems to be to keep pace with updates to EU law in this area, specifically relating to the NIS2 Directive that starts to apply this month (see our blog post on this, here).Continue Reading What to expect from the UK’s Cyber Security and Resilience Bill (and when)

On September 17, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published a Secure by Design Alert, cautioning senior executives and business leaders to be aware of and work to eliminate cross-site scripting (“XSS”) vulnerabilities in their products (the “Alert”).  XSS vulnerabilities allow “threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts.” Continue Reading CISA and FBI Publish a Secure by Design Alert to Eliminate Cross-Site Scripting Vulnerabilities

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

On April 25, 2024, the UK’s Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) received royal assent and became law.  This law makes the first substantive amendments to the existing Investigatory Powers Act 2016 (“IPA”) since it came into effect, and follows an independent review of the effectiveness of the IPA published in June 2023.Continue Reading Changes to the UK investigatory powers regime receive royal assent