Cybersecurity

Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed

According to a recently-released meeting agenda, the Securities and Exchange Commission’s (“SEC”) upcoming July 26, 2023 meeting will include consideration of adopting rules to enhance disclosures regarding cybersecurity risk management, governance, and incidents by publicly traded companies. 

The SEC initially proposed these rules in March 2022.  If adopted as proposed, the new rules would

On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.Continue Reading White House Releases Implementation Plan for the National Cybersecurity Strategy

Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that two previously-proposed cyber rules might not be approved until October 2023 (although the agenda’s timeframe is an estimate and the rules could be finalized sooner, or later). The proposed rules in question address disclosure requirements regarding cybersecurity

On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”).  It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents.  Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.

The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws.  The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.

Below, we set out three striking features of the CSA that are likely to be of particular relevance to private companies.Continue Reading Three Interesting Features of the Proposed EU Cyber Solidarity Act

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.  While similar principles have been published in the past, such as those released by the U.S. Federal Trade Commission, this guidance builds on the White House’s recent roll-out of the U.S. National Cybersecurity Strategy and is in line with efforts to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions.  While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.”  CISA and the authoring agencies are seeking feedback on the guidance, and indicated plans to hold future listening sessions to collect feedback. Continue Reading CISA Publishes International Guidance on Implementing Security-by-Design and Security-by-Default Principles for Software Manufacturers and Customers

On March 16, 2023, the Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”  Continue Reading FERC Approves New Cybersecurity Requirements for Low Impact Bulk Electric Systems

On March 21, 2023, the United States Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”).  The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors.  The CPGs apply to both information technology (“IT”) and operational technology (“OT”) and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).Continue Reading CISA Releases Revised Cybersecurity Performance Goals for Critical Infrastructure

On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.”  Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”  Continue Reading HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework

On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.”  EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that