On October 22, 2024, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) issued a series of orders imposing almost $7 million in disclosure fines against four global digital service providers impacted by the 2020 SolarWinds compromise. The SEC accused
Chris Cwalina (US)
SEC statement clarifies material cybersecurity incident disclosure requirement
SEC final rule on reporting material cybersecurity incidents
In July 2023, the US Securities and Exchange Commission (SEC) finalized its rule requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Though materiality is not a…
US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures
On October 30, 2023, the SEC announced charges against SolarWinds and its Chief Information Security Officer Timothy Brown.
Read our full analysis at www.nortonrosefulbright.com.
Special thanks to Law Clerk Ian Slingsby (Washington, DC) for his assistance in the…
Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act
On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard. Currently, a hodgepodge of industry-specific and state…
FTC Signals Additional Scrutiny for Data Breaches
On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification…
New PCI DSS v4.0 – Flexibility added
On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new requirements for service providers (now called TPSPs—third party service providers). Of those new requirements, 13 are effective immediately for anyone undergoing a PCI DSS v4.0 assessment; 51 are “best practice” until March 31, 2025, at which time they will be mandatory. In addition, each requirement now includes an entry for “Customized Approach Objective,” because the Council will allow entities to adopt an approach that “does not strictly follow the defined requirement” as long as it meets the stated objective in accordance with the Council’s requirements. The Council noted that this new approach “is intended for risk-mature entities that demonstrate a robust risk-management approach to security, including, but not limited to a dedicated risk-management department or an organization-wide risk management approach.” (Standards at 28.) The previous version of PCI DSS (3.2.1) is retired as of March 31, 2024. Either PCI DSS 3.2.1 or 4.0 can be used for assessments between now and March 31, 2024 (page 36).
Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect
On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act…
Who gets to decide to pay the ransom in a ransomware attack?
The onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also…
Cyber authorities sound the alarm on critical vulnerability In Java Library
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers.…
OFAC Announces New Measures to Address Ransomware Attacks
The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem. OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the…