The EU’s new Network and Information Security Directive (NIS2) and its transpositions into the national laws of Member States will – contrary to all political objectives – not only apply to critical infrastructures, but all sectors of the economy. The threats to corporate cybersecurity no longer come from teenage hackers. They come from highly professional international criminal organizations and hostile state actors. In particular, the phenomenon of ransomware – malware that encrypts corporate data and…
Following the passing of the Personal Data Protection (Amendment) Bill 2024 (“Bill”) by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations: The deadline to provide feedback is 6 September 2024 (Friday). Contents: In more detail We have earlier highlighted in our client alert some of the key changes brought by the Bill to the Personal Data Protection Act 2010 (PDPA) and that certain…
In brief In a landmark decision on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed most charges in the SEC’s enforcement action against SolarWinds and its CISO, Timothy Brown. The court ruled that cybersecurity controls are not part of a company’s “system of internal accounting controls” under Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing these claims. However, the court upheld charges that SolarWinds and Brown misled investors with public…
The EU’s NIS2 Directive entered into force in January 2023 and seeks to achieve a high common level of cybersecurity protection across the Union. The Directive must be implemented by Member States by 17 October 2024 and Hungary has been one of the earliest movers, with its first substantive obligations already in effect: covered entities were required to register with the national authorities by 30 June 2024. You can find more information on the Hungarian…
In brief On May 21, 2024, Erik Gerding, Director of the US Securities and Exchange Commission (SEC) Division of Corporate Finance, issued a statement1 clarifying the SEC’s expectations for cybersecurity incident disclosures under the new Form 8-K Item 1.05. Gerding’s statement clarified that Item 1.05 disclosures should be reserved for material cybersecurity incidents, and voluntary disclosures of immaterial incidents, or of incidents before a materiality determination has been made, should be provided under a different item of…
At the Update Conference recently hosted by the Bureau of Industry and Security (“BIS”), the Office of Export Enforcement introduced a newly established Cyber Division to manage the increasing number of disclosures it is receiving related to cyber incidents. This announcement signals increased regulatory scrutiny in cyber incidents and underscores the need for companies to update their cyber governance programs and incident response plans to analyze whether impacted data is subject to US export controls…
Today, April 4, 2024, Cybersecurity and Infrastructure Security Agency (“CISA”) officially published its long-awaited Notice of Proposed Rulemaking (“Proposed Rule”) for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The Proposed Rule requests written comments from the public no later than June 3, 2024. CISA will then have 18 months to promulgate a final rule which is expected to be finalized and in effect by October 2025. CIRCIA Big Picture CIRCIA is…
The new Cyber Security Bill 2024 (“Bill”) was tabled for first reading at the Malaysian Parliament on 25 March 2024. The Bill aims to provide a regulatory framework for the safeguarding of Malaysia’s cyber security landscape by requiring national critical information infrastructure entities to comply with certain measures, standards and processes in the management of the cyber security threats and cyber security incidents. To achieve such objectives, the Bill provides for, among others, the establishment…
28 January 2024 is Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108. Data Privacy Day encourages the global community to think about the importance of respecting privacy, safeguarding data, and enabling trust. In an increasingly connected and digitized world, where data protection, privacy and cybersecurity regulation are rapidly evolving, the work of the global data community is more vital, and more challenging,…
On January 7, 2024, China’s Cyberspace Administration (“CAC”) closed the public consultation period for its new cybersecurity incident reporting rules, which were released in December. If the draft rules are adopted as written, companies would be required to report certain cybersecurity incidents to the relevant Chinese regulator within one hour. The relevant regulator depends on the nature of the IT system compromised, the industry, and other factors and may be the local CAC, the public…