In the wake of the SEC’s new rule requiring prompt disclosure of cybersecurity incidents, incident response (IR) teams have asked how they should modify IR plans to promote compliance with the new rule. We have summarized the SEC’s new rules here and discussed some of the nuances of materiality determinations here. In a separate

David Aaron
David Aaron is a former federal prosecutor with the U.S. Department of Justice (DOJ), National Security Division and a former Manhattan Assistant District Attorney.
It’s Official: Cybersecurity Disclosure Is Coming This Year
The U.S. Securities and Exchange Commission adopted final rules on July 26, 2023, requiring public companies to provide current disclosure, within what may be a short time window, about material cybersecurity incidents and to include disclosure relating to cybersecurity risk management, strategy, and governance in annual reports.
According to the SEC, these rules are designed…
Cybersecurity Implementation Plan Offers a Roadmap for Cyber Priorities
The Biden Administration recently released the implementation plan for the National Cybersecurity Strategy. The Plan includes initiatives for new cybersecurity regulations, new and expanded liability regimes, broad public and private engagement, and new procurement obligations and funding opportunities. Companies should pay close attention to opportunities to help shape new regulatory and liability schemes and should…
Sector-Based Cybersecurity Requirements for Critical Infrastructure, From Our Water Systems to the Skies
Critical infrastructure companies should expect substantial new federal cybersecurity requirements based on the National Cybersecurity Strategy that President Biden announced on March 2, 2023. The Strategy includes enhanced requirements for critical infrastructure. Specifically, President Biden pivoted federal cybersecurity policy from encouraging voluntary adoption of proactive security measures to using regulation and other measures to mandate…
FERC Establishes New Monitoring Requirements for Bulk Electric Systems
The Federal Energy Regulatory Commission has published a final rule calling for the North American Electric Reliability Corporation to develop standards for internal network cybersecurity monitoring. This rule will be required for all high-impact bulk electric systems and medium-impact bulk electric systems with external roundtable activity and conduct a study of the security of other…
The Biden Administration’s National Cybersecurity Strategy: Impact on the Private Sector
The Biden Administration released its National Cybersecurity Strategy on March 1. The Strategy breaks with past precedent and emphasizes regulatory mandates and imposing liability, in addition to enhancing voluntary information sharing and development of best practices. The Strategy will particularly affect critical infrastructure and cloud service providers.
New TSA Rail Cybersecurity Rule Shows Trend Toward Prescriptive Mandates
The Transportation Security Administration issued a new cybersecurity directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads. The requirements focus on performance-based measures to achieve critical cybersecurity outcomes in light of the growing sophistication of evolving threats.
The directive is effective as of October 24, 2023, and companies will need to…
Important Lessons from the Hive Ransomware Disruption
The recently announced disruption of the Hive ransomware network is a significant and welcome accomplishment. It cuts off bad actors from the gains they sought to extract from victims and makes their continued criminal activity more challenging. Raising the cost on malicious cyber actors is always a good way to deny them the inherent benefits of online crime, such as distance from target, anonymity, and freedom of operation.…
Continue Reading Important Lessons from the Hive Ransomware Disruption
Biden Administration Plans Mandatory Cybersecurity Regulations for Critical Infrastructure Companies
Recent comments by Anne Neuberger, President Biden’s Deputy National Security Adviser for Cyber and Emerging Technology, herald an important shift in U.S. cybersecurity policy. Traditionally, the U.S. Government’s approach has mostly focused on requiring companies to notify regulators and affected individuals of security breaches that implicate specific types of information, such as personally identifiable information, protected health information, and financial information. Federal efforts to prescribe or enforce proactive security measures have been sector-specific, such as the Transportation Security Administration’s Security Directives covering rail and pipeline owners and operators. Those measures have been spread among sector-specific agencies, which has resulted in multiple, and sometimes conflicting or confusing, requirements applying to some businesses. Federal law enforcement agencies have also made targeted and novel use of criminal search authorities to proactively remediate privately owned machines infected with malware by Russian and China-based actors.…
EU Takes Step Toward Approval of EU-US Data Privacy Framework
The European Commission released a draft adequacy decision on December 13, 2022, approving the new EU-U.S. data privacy framework established in part by President Biden’s Executive Order 14086 issued on October 7, 2022. The draft adequacy decision is the first step in the European Union’s adoption procedure.