In a shocking show of gumption, a ransomware gang has reportedly not only hacked a US public company’s (MeridianLink) IT systems, but also filed a complaint on the SEC’s Tips, Complaints, and Referrals page, regarding Meridian Link’s claimed failure to disclose the incident in an 8-K in violation of the SEC’s new cybersecurity rules. Even though public companies are not yet required to comply with the new cybersecurity disclosure rules (8-K requirement goes effective on…
Effective November 1, 2023, New York State Department of Financial Services (“DFS”) Strengthens Cybersecurity Requirements for Financial Services Companies. All companies should take account of these amendments, as these DFS regulations are increasingly referenced as key benchmarks for cybersecurity compliance programs. New York State’s Department of Financial Services (“DFS”) finalized significant amendments to 23 CRR-NY 500 NY-CRR, “Cybersecurity Requirements for Financial Services Companies” (“Part 500”). This follows two rounds of proposed amendments and public comment…
In many ways, the Securities and Exchange Commission’s (“SEC”) October 30, 2023 enforcement action against software company SolarWinds Corporation (“SolarWinds”) and its chief information security officer (“CISO”) is a typical securities case. The first four counts involve alleged material misstatements by the public company related to widely reported operational turmoil that allegedly materially impacted the company. But aspects of the case may signal a change in how the SEC looks at cyber incidents, including internal…
In recent years, China has adopted a series of complex regulations around cybersecurity and privacy. In 2022, it issued rules for cross-border transfers of data, and its version of Standard Contractual Clauses (“China SCCs”) in February 2023. The China SCCs became effective in June, but there was a six month grace period for filing, until November 30, 2023. Any company that has a presence in China or processes or transfers Chinese resident data outside of…
On August 29, 2023, the California Privacy Protection Agency (“CPPA”) published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPPA will discuss the draft regulations at the upcoming public meeting on September 8, 2023. The draft regulations make clear that the CPPA has not yet begun formal rulemaking, and that the draft regulations are “intended to facilitate…
In this episode, Cynthia Cole, IP & Technology Partner based in Palo Alto, is joined by Jerome Tomas, Chair of the Firm’s Securities and Exchange (SEC) and Financial Institutions Enforcement Group based in Chicago, as the two discuss the SEC’s recently issued Final Rules for Cyber and what this means for public companies. Listen in to learn more about: Why should you care? The SEC has brought enforcement actions before based on data breach disclosure-what’s different…
In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…
Last month, the European Supervisory Authorities (ESAs) launched a consultation package on the first batch of certain draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) on certain aspects of the EU’s Digital Operational Resilience Act, DORA. You can find more detail in our alert here. The draft technical standards cover: the risk management framework that financial institutions (FIs) are required to introduce classification of ICT related incidents, and the test for classifying…
Vietnam is releasing a brand-new draft decree superseding Decree No. 72/2013/ND-CP (as amended) (“Decree 72”) on the management, provisions, and use of Internet services and online information (“Draft Decree”).
In order to enforce (i) Decree 53 guiding the Cybersecurity Law and (ii) the Personal Data Protection Decree (i.e., Decree 13), the Ministry of Public Security (“MPS”) has been working on a draft Cybersecurity Administrative Sanctions Decree (“CASD”). By way of background, the first version of the CASD was released for public consultation in September 2021. Last year, the MPS also held a workshop in Hanoi to collect public comments on a version of the…