Cybersecurity

On October 30, 2023, days ahead of government leaders convening in the UK for an international AI Safety Summit, the White House issued an Executive Order (“EO”) outlining an expansive strategy to support the development and deployment of safe and secure AI technologies (for further details on the EO, see our blog here). As readers will be aware, the European Commission released its proposed Regulation Laying Down Harmonized Rules on Artificial Intelligence (the EU “AI Act”) in 2021 (see our blog here). EU lawmakers are currently negotiating changes to the Commission text, with hopes of finalizing the text by the end of this year, although many of its obligations would only begin to apply to regulated entities in 2026 or later.

The EO and the AI Act stand as two important developments shaping the future of global AI governance and regulation. This blog post discusses key similarities and differences between the two.Continue Reading From Washington to Brussels: A Comparative Look at the Biden Administration’s Executive Order and the EU’s AI Act

A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:

  1. exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
  2. preclude EU cloud customers from accessing the services of these non-EU providers.

Continue Reading Implications of the EU Cybersecurity Scheme for Cloud Services

On 12 September 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (“NCSC”), Lindy Cameron, signed a joint memorandum of understanding (“MoU”) detailing how the Information Commissioner’s Office (“ICO”) and NCSC will work together moving forward.

The MoU does not create legally binding obligations between the ICO and NCSC, but provides a strong signal of intent for areas of cooperation.  The statements about information sharing and engaging with NCSC leading to potentially reduced fines under the UK GDPR are likely to be of particular interest to commercial organizations.Continue Reading ICO Encourages Organizations To Cooperate with NCSC and Flags Potential Reduction in Fines

On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin

Continue Reading CISA, NSA, and NIST Urge Critical Infrastructure and Others to Prepare for Quantum Computing Cyber Threats

On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force.  Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers.  As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred.  Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction. Continue Reading Compliance Dates for SEC’s New Cyber Disclosure Rules Confirmed

Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most

Continue Reading Proposed Second Amendment to NYDFS Cybersecurity Regulations: Comments Due August 14

According to a recently-released meeting agenda, the Securities and Exchange Commission’s (“SEC”) upcoming July 26, 2023 meeting will include consideration of adopting rules to enhance disclosures regarding cybersecurity risk management, governance, and incidents by publicly traded companies. 

The SEC initially proposed these rules in March 2022.  If adopted as

Continue Reading SEC to Consider Cyber Rules Next Week

On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.Continue Reading White House Releases Implementation Plan for the National Cybersecurity Strategy

Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that two previously-proposed cyber rules might not be approved until October 2023 (although the agenda’s timeframe is an estimate and the rules could be finalized sooner, or later). The proposed rules in question

Continue Reading Update on SEC’s Cybersecurity Rules

On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”).  It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents.  Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.

The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws.  The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.

Below, we set out three striking features of the CSA that are likely to be of particular relevance to private companies.Continue Reading Three Interesting Features of the Proposed EU Cyber Solidarity Act