Will Daugherty (US)

Subscribe to all posts by Will Daugherty (US)

US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures

Photo of Chris Cwalina (US)Photo of Will Daugherty (US)Photo of Kevin J. Harnisch (US)Photo of Anna Rudawski (US)Photo of Ilana Beth Sinkin (US)By Chris Cwalina (US), Will Daugherty (US), Kevin J. Harnisch (US), Anna Rudawski (US) and Ilana Beth Sinkin (US) on Posted in Cybersecurity, Dispute resolution and litigation, Enforcement
On October 30, 2023, the SEC announced charges against SolarWinds and its Chief Information Security Officer Timothy Brown. Read our full analysis at www.nortonrosefulbright.com. Special thanks to Law Clerk Ian Slingsby (Washington, DC) for his assistance in the preparation of this content.… Continue reading

President Biden issues sweeping artificial intelligence directives targeting safety, security and trust

Photo of Will Daugherty (US)Photo of Marcus Evans (UK)Photo of Gerar Mazarakis (US)By Will Daugherty (US), Marcus Evans (UK) and Gerar Mazarakis (US) on Posted in Artificial Intelligence
On October 30, 2023, after recognizing that Artificial Intelligence (AI) is the most consequential technology of our time and anticipating that it will accelerate more technological change in the next five to ten years than witnessed in the past fifty, President Biden issued an Executive Order directing actions to establish new AI standards. These directives, … Continue reading

TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback

Photo of Will Daugherty (US)Photo of Patrick Burke (US)By Will Daugherty (US) and Patrick Burke (US) on Posted in Compliance and risk management, Cybersecurity
The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies.  The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth … Continue reading

New PCI DSS v4.0 – Flexibility added

Photo of Chris Cwalina (US)Photo of Will Daugherty (US)Photo of Susan Ross (US)By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making.  In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)Photo of Will Daugherty (US)Photo of Alexis Wilpon (US)By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on Posted in Cybersecurity, Data breach, Ransomware
On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

Photo of Will Daugherty (US)Photo of Kate Nelson (US)By Will Daugherty (US) and Kate Nelson (US) on Posted in Cybersecurity
On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

Photo of David Kitchen (US)Photo of Chris Cwalina (US)Photo of Anna Rudawski (US)Photo of David Kessler (US)Photo of Will Daugherty (US)By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

Proposed “Cyber Incident Reporting for Critical Infrastructure Act of 2021”

Photo of Will Daugherty (US)Photo of Susan Ross (US)By Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report … Continue reading

President Biden’s Executive Order on improving the nation’s cybersecurity

Photo of Chris Cwalina (US)Photo of Will Daugherty (US)Photo of Susan Ross (US)By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector.  The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas.  The Executive Order also … Continue reading

Incentivizing public utilities to enhance cybersecurity: FERC’s proposed regulation

Photo of Will Daugherty (US)Photo of Susan Ross (US)By Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
On February 5, 2021, the Federal Energy Regulatory Commission (“FERC”) published proposed regulations in the Federal Register that would provide federal financial incentives to utilities that voluntarily increase certain cybersecurity measures above those required by the Critical Infrastructure Protection Reliability Standards (“CIP Reliability Standards”) or by the NIST, Framework for Improving Critical Infrastructure Cybersecurity (“NIST … Continue reading
LexBlog