Cybersecurity

On June 2, 2026, the White House issued an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security” (the “Order”).  The Order reflects the Administration’s stated policy of advancing U.S. leadership in artificial intelligence (“AI”) while addressing national security risks associated with increasingly capable AI systems.  To

Continue Reading White House Releases Executive Order on Advanced AI Innovation and Security

Earlier this month, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency and other international partners, released guidance for organizations on adopting agentic artificial intelligence systems (i.e., systems composed of one or more agents that fundamentally rely on an AI model, such as an LLM

Continue Reading CISA Releases Guidance on the Careful Adoption of Agentic AI Services

On May 26, 2026, the Cybersecurity & Infrastructure Security Agency (“CISA”), announced a revised schedule of virtual town halls as part of its rulemaking implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  These town halls were initially scheduled for March and April 2026 but were delayed by the lapse in funding for the Department of Homeland Security that ended on April 30, 2026, and are now scheduled to begin on June 15, 2026.  The “specific topics of interest” CISA highlighted in its original announcement remain unchanged.

Continue Reading CISA Announces Revised Schedule of Town Halls for CIRCIA Rulemaking

On March 6, 2026, the Administration released “President Trump’s Cyber Strategy for America” alongside an Executive Order (entitled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens”) and accompanying Fact Sheet.  The framework set forth in the Strategy document is significantly shorter and higher-level than the prior

Continue Reading White House Releases New National Cyber Strategy and Executive Order

The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides liability protections and other safeguards for sharing certain cybersecurity information with the U.S. federal government and private entities, was reauthorized as part of the funding bill enacted on February 3, 2026. CISA 2015’s information‑sharing provisions, which had been scheduled to sunset on January 30, 2026, will now remain in effect through September 30, 2026.

Continue Reading Cybersecurity Information Sharing Act of 2015 Reauthorized Through September 2026

On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the

Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms

On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”).  According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI

Continue Reading NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment

On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its Chief Information Security Officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”

Continue Reading SEC Voluntarily Dismisses SolarWinds Litigation

The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides protections for sharing cybersecurity threat information with the federal government and others, was reauthorized under the funding bill to reopen the federal government, which was enacted on November 12, 2025.  The information sharing mechanisms and protections under CISA 2015, which had previously sunset on September 30, 2025, will now extend through January 30, 2026.

Continue Reading Cybersecurity Information Sharing Act of 2015 Reauthorized Through January 2026

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.

Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers