How Cybersecurity Legal Decisions Affect Businesses

Insightful article discusses the SEC new cybersecurity incident disclosure requirements, which significantly impact corporate governance and the roles of IT leaders, especially Chief Information Security Officers (CISOs). Key Points: SEC's Enhanced Cybersecurity Regulations: The SEC has introduced stringent regulations for corporate accountability regarding cybersecurity. Impact on IT Leaders: IT leaders must report significant cyber incidents within four business days and detail their cybersecurity risk management strategies in annual reports. SolarWinds Corporation: The SEC's action against SolarWinds and its CISO, Timothy G. Brown, highlights the importance of accurate cybersecurity disclosures. Increased Responsibilities for CISOs: CISOs now face greater pressure to ensure cyber transparency, manage advanced risks, and comply with the SEC's requirements. Strategic Implications for IT Leadership: IT leaders need to build teams with a mix of technical skills, regulatory knowledge, and risk management expertise. New Role of CISOs: CISOs and CIOs are now pivotal in corporate governance, acting as architects of digital trust. Their strategic decisions and proactive risk management define corporate resilience and integrity in the digital and regulatory landscape.

On Friday, the Supreme Court decided Loper v. Raimondo, essentially killing "Chevron Deference." See https://lnkd.in/e2kryVVb. Chevron was the law for 40 years and was cited in more than 18,000 federal decisions. In short, Chevron said that when courts determine whether the regulations crafted by agencies are consistent with ambiguous federal legislation, they should generally defer to agencies' interpretation. In other words, the courts let agency experts fill in the legislative gaps using their subject matter expertise.   In Loper, the Supreme Court reversed course, overruling Chevron. For the first time in at least 40 years, the Supreme Court held that the Administrative Procedure Act requires courts to exercise their independent judgment in deciding whether an agency has acted within its statutory authority, and courts may not defer to an agency interpretation simply because a statute is ambiguous.   Given that the majority of federal cyber rules come from regulations (e.g., the new SEC cyber rules), rather than from legislation itself, the death of Chevron could have significant impacts on cyber: 1. INCREASED UNCERTAINTY: Organizations may expend significant resources to comply with federal cyber regulations, only to find such regulations invalidated or significantly modified by courts.   2. LESS UNIFORMITY: Increased uncertainty about federal regulations may lead to increased cyber and privacy regulations at the state level, making compliance more confusing and costly.   3. COMPLEX & INFLEXIBLE FEDERAL LEGISLATION: If agencies cannot effectively regulate around ambiguity in federal legislation, it may lead to federal legislation being more narrow, inflexible, and less helpful. Alternatively, legislatures may try to make laws more comprehensive, which could lead to laws becoming more complicated and harder to enact. While Congress might be able to solve some of these problems by specifically granting agencies the right to interpret ambiguity in each future bill, it may be hard to reach bipartisan consensus on this resolution.   4. LONGER LITIGATION: Organizations may: (a) attempt to relitigate some of the 18,000+ cases decided under Chevron; (b) challenge existing regulations that they thought could not be successfully challenged under Chevron; and/or (c) be more likely to challenge each future regulation. With the potential for thousands of new cases flooding the courts, all litigation, including breach litigation, may be delayed in the morass.   5. UNHELPFUL INTERPRETATIONS: The Courts generally have less cyber expertise then the experts at CISA, DHS, and other agencies, which may lead to interpretations that make us less secure.   6. CEDING REGULATORY POWER TO THE EU: These new challenges likely faced by Congress and the courts may further exacerbate the lead the European Union (EU) seems to have over the U.S. when it comes to implementing comprehensive technology regulations.   OR . . . it might have minimal impact.  Stay tuned! 

Salt Typhoon offers an important reminder—no, not that China is exploiting our critical infrastructure (though they are). This breach—and the knee-jerk reaction from cybersecurity leaders that followed—reminds us that blindly following cyber “best practices” may safeguard your organization on the one hand while exposing your organization to liability on the other. Following the discovery of the Salt Typhoon breach compromising nearly all U.S. telecommunication providers, the former directors of the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urged individuals and businesses to adopt end-to-end encrypted communication tools, offering crucial protection against cyber threats. While this is a sound recommendation, it’s important to remember that for organizations in highly regulated industries, adopting encryption too hastily can lead to non-compliance with industry-specific regulations. Navigating the Balance: -End-to-End Encryption: Important to secure internal and external communications. However, regulated industries need encryption solutions that also comply with retention, auditing, and monitoring standards. -Policies & Procedures: Establish clear guidelines for encrypted communications. Be mindful of settings like message purge rules that can interfere with compliance and ensure regular training for employees on security and regulatory requirements. -Baseline Cybersecurity Measures: Don't overlook fundamental practices such as multifactor authentication, password management, and regular software updates to strengthen your organization’s defenses against threats. Bottom line: End-to-end encryption secures communications, but not all encryption solutions align with regulatory data retention and auditing requirements in sectors like financial services (SEC Rule 17a-4) and healthcare (HIPAA). Organizations must carefully evaluate both security risks and regulatory obligations before implementation. —- Thanks to Dark Reading for publishing our piece! —- #cyber #cybersecurity #cyberlaw Jillian Cash Kellen Carleton Buchanan Ingersoll & Rooney PC Lucian Niemeyer Sean Plankey Alison King Kathryn Wang Guillermo Christensen Brian Krebs George A. George Kamide NetDiligence® AmTrust Financial Services, Inc. FBI Cyber Division U.S. Securities and Exchange Commission Kurt Sanger

🌐 Have you heard of the EU’s Cyber Resilience Act (CRA), and do you know this groundbreaking legislation's cybersecurity and data privacy impacts? 🌐 In this video, Debbie Reynolds, “The Data Diva” discusses the Cyber Resilience Act (CRA) coming to the European Union in 2025, with full enforcement starting in 2027. This groundbreaking law will impact any product with a digital element, including the Internet of Things (IoT), setting a new global standard for cybersecurity. 🛡️💻 Key points: 🌐The CRA requires strict cybersecurity compliance for all products with digital components, impacting both manufacturers and third-party vendors 🎯 🌐Starting in 2027, products sold in the EU must have a CE marking, signifying they've passed rigorous cybersecurity standards ✅ 🌐Companies failing to comply face fines of up to €15 million or 2.5% of global turnover ⚖️💶 🌐This law will be game-changing for industries globally, setting a new precedent for securing digital products from creation to disposal 🛠️🗂️ 🌐This law is mandatory, unlike the US Cyber Trustmark program, which is voluntary and doesn't account for the entire supply chain or third-party vendors While the US Cyber Trustmark program is a step in the right direction, it lacks the legal enforceability and comprehensive oversight of the Cyber Resilience Act. The CRA sets a higher bar by covering the entire lifecycle of digital products—from creation to disposal—and ensuring that companies update or replace IoT devices to maintain security over time. 📊🔐 The CRA will influence markets worldwide, especially for US-based companies that will need to align with these new standards to operate in the EU. As cyber threats continue to rise, this is a significant leap forward in protecting consumer data and ensuring the security of connected devices. 📊🔐 Watch the full video to learn how the CRA will shape the future of digital product security! 🎥👇  Data Privacy and cybersecurity experts, please give me your thoughts. 🚀 Empower your organization to master the complexities of Privacy and Emerging Technologies! Gain a real business advantage with our tailored solutions. Reach out today to discover how we can help you stay ahead of the curve. 📈✨ Debbie Reynolds Consulting, LLC Data Diva Media #dataprivacy #datadiva #privacy #cybersecurity #CyberResilienceAct #IoT #DigitalProducts #EURegulations #EmergingTech #ProductSecurity #PrivacyMatters #EU #cybertrustmark

SEC Cybersecurity Directives: Will They Pioneer Changes in the Cyber Insurance Landscape? As business leaders gear up for the Securities and Exchange Commission's (SEC) directive requiring public companies to announce "material" cybersecurity incidents, many are gauging the repercussions not only on their enterprises and third-party vendors but also on cyber insurance coverage. Both public and private companies may experience shifts in their insurance terms and negotiations due to these regulations. Let's look at a few potential impacts and considerations: 📌 Materiality Assessment: "Material" for SEC reporting may differ from what needs to be reported to an insurer. An incident might not be material from a defense advisor's perspective but may still trigger insurance notification requirements. 📌 Crucial Timing: Insurers often require immediate notification, even if an incident's full scope isn't known. The SEC will expect disclosure once an incident's materiality is ascertained. Balancing these timelines is vital. 📌 Legal Implications: Mistakes or delays in reporting can result in fines, litigation, or insurance disagreements when handling intertwined reporting duties. 📌 Claim Review: Insurers may assess claims and coverage in light of disclosed cyber practices. 📌 Premium Revisions: Rates could be influenced by a company's security track record and measures. Considerations: 👉 Unified Reporting Protocols: Create clear guidelines differentiating "materiality" for the SEC and insurers. 👉 Engage Experts: Consult legal, cyber defense, and insurance advisors regularly to ensure reporting alignment and avoid discrepancies that can lead to penalties or insurance coverage disputes. 👉 Stay Updated on Cybersecurity Measures: Regularly update and log your cybersecurity practices for optimal insurance terms and readiness for any required disclosures. As the SEC intensifies its cybersecurity reporting requirements, the ripple effect will be felt across the business sector, including within cyber insurance dynamics. Companies must navigate differing "materiality" definitions, prompt reporting demands, and anticipate potential shifts in insurance terms. Regular engagement with experts and staying updated on best practices will be pivotal in this new era of cyber transparency and accountability. #Regulations #materiality #cyberdefense #cyberinsurance #reporting #protectwhatmattersmost

Aligning Cybersecurity Oversight: A Look at NYDFS and SEC Regulations Recent amendments to the New York State Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500, provide updated guidelines on the roles of the Chief Information Security Officer (CISO) and board responsibilities. These changes show similarities to the new SEC rules that will become effective later this year. CISO Role under NYDFS: - Definition: The CISO is responsible for overseeing, implementing, and enforcing the firm's cybersecurity program and policy. - Oversight: CISOs must actively manage cybersecurity risks and cannot delegate this duty entirely. Role of the Board under NYDFS: - Oversight Responsibility: The senior governing body must oversee cybersecurity risk management effectively. - Expertise Requirement: Board members should have adequate understanding of cybersecurity to offer oversight, with the option to consult advisors. Comparison with Role of the Board under SEC Rules: - Board Oversight: Both the SEC and NYDFS highlight the need for board oversight of cybersecurity risks. - Information Flow: Both regulations specify how the board or board committees should be informed about cybersecurity risks. - Management Roles: SEC additionally requires firms to disclose who in management is responsible for cybersecurity, and their expertise. How Companies Can Prepare: - Define Roles: Clearly outline the responsibilities of the senior governing body and the CISO, and ensure efficient interaction between the two. - Conduct Assessments: Carry out annual risk assessments, including evaluations of the company's mission and reputation. - Update Policies: Establish guidelines to keep the senior governing body informed about important cybersecurity issues, in alignment with both NYDFS and SEC regulations. Companies should evaluate their cybersecurity controls and governance to align with these revised guidelines, ensuring clarity in roles and procedures for continuous risk management. #cybersecurity #regulation #risk

Cybersecurity implications of AI: On October 16, the New York State Department of Financial Services (DFS), which has long been out front on both cybersecurity and artificial intelligence, issued guidance for regulated entities (banks, insurance companies, others) on addressing cybersecurity risks arising from AI. The guidance does not impose new requirements, but rather addresses how DFS-regulated institutions can meet their existing obligations under the Department’s cybersecurity regulation in light of evolving risks from AI. In essence, the guidance says that entities must consider AI-related risks in their risk assessment and in their development of cybersecurity controls. The guidance calls out four risks in particular, two (social engineering and enhanced cyber-attacks) arising from threat actors’ use of AI and two (theft of nonpublic information and increased vulnerabilities due to supply chain dependencies) caused by an entity’s use of AI. The guidance touches on: how, when designing their risk assessments, covered entities should address AI-related risks; third-party service provider and vendor management; access controls; cybersecurity training; monitoring; and data management. https://lnkd.in/gDvEznMw

Well, it's now official. The U.S. Securities and Exchange Commission (SEC) just put out this press release. SEC registrants (any company that files documents with the SEC) must: 1) Disclose any #cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. This is due four business days after it is determined that a cybersecurity incident is material. 2) Describe their processes, if any, for assessing, identifying, and managing material #risks from cybersecurity threats, as well as reasonably likely material effects of risks from cybersecurity #threats and previous cybersecurity incidents. 3) Describe the #board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. The 2nd and 3rd disclosures will be required in a registrant's annual report, due beginning with fiscal years ending on or after December 15, 2023.

Last year, the Securities and Exchange Commission (SEC) passed the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” regulation. CISOs, security vendors, legal firms, consultancies, and advisory firms have primarily focused on one of the four aspects of this regulation: Incident Disclosure But there are three other elements to be addressed on an annual basis for US public registrants: Risk Management Strategy Governance CEOs and CIOs - These three elements involve management and the board of directors, not just CISOs. After reading 45 recent 10-K submissions, I want to note some observations to raise awareness. For those who aren’t intimately familiar with how the regulation process worked, my personal observation is that – in spirit – the SEC may have thought of Sarbanes-Oxley (SOX) as an example when drafting the regulation.   The requirement for SOX is for CEOs and CFOs to certify, evaluate, and disclose critical information… it doesn’t state that a VP of Finance reporting to a CFO, who in turn reports to a CEO, should certify, evaluate, and disclose critical information. I draw this analogy because most public entities have CISOs that do not directly report to a CEO. Some companies even lack a CISO by title, making it even less clear that they are “management” in the way that one might interpret the SEC language. Put more plainly, when the SEC states, “Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise” I think that a reasonable investor might question why only the CISO is mentioned by title in many of the recent 10-K section 1C filings. Why not the rest of the responsible management team, where applicable? CEOs, CIOs, and board members might consider reviewing the language of the annual SEC requirement to ensure sufficient detail is provided in writing to meet the intention of the regulation. #ceo #cio #riskmanagement #corpgov #cybersecurity

SEC Cybersecurity 8-K Alert As the former Senior Cybersecurity Advisor to the U.S. Securities and Exchange Commission Chair it appears the 8-Ks issued so far are non compliant. What’s missing is how these cyber events have or will introduce material business, operational and financial harm. I suspect most companies have not figured this out. This is reflective of a disconnect amongst the technology, cybersecurity, business and enterprise risk management functions….. including the Boardroom!!!! Below is a list of business focused risk factors: • Costs due to business interruption, decreases in production and delays in product launches. • Payments to meet ransom and other extortion demands. • Remediation costs, such as liability for stolen assets or information, repairs of system damage and incentives to customers or business partners in an effort to maintain relationships after an attack. • Increased cybersecurity protection costs, which may include increased insurance premiums and the costs of making organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants. • Lost revenues resulting from intellectual property theft and the unauthorized use of proprietary information or the failure to retain or attract customers following an attack. • Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities. • Harm to employees and customers, violation of privacy laws and reputational damage that adversely affects customer or investor confidence. • Damage to the company’s competitiveness, stock price and long-term shareholder value. Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders. NACD (National Association of Corporate Directors) Khwaja Shaik X-Analytics (SSIC) John Frazzini CrowdStrike Dominique Shelton Leipzig Andrew Hoog John Carlin Erez Liebermann David Curran Avi Gesser Jamil Farshchi Jim Routh Robert Wilkinson Edward Amoroso Charles Blauner Sean Lyngaas Kim Nash The Wall Street Journal Anne-Marie Kelley Nasdaq Jay Leek Brian Peretti Jared Nussbaum Adam Cottini Thomas Etheridge Daniel Bernard Vanessa Mesics George Kurtz Shawn Henry CNBC Rocco Grillo Katherine Kuehn Bob Ackerman Jim Cramer Kevin Mandia Jen Easterly Learn more how the NACD (National Association of Corporate Directors) boardroom community is tackling this issue powered by X-Analytics (SSIC) https://lnkd.in/esrRhxJQ