Will Daugherty (US)

Subscribe to all posts by Will Daugherty (US)

TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback

By Will Daugherty (US) and Patrick Burke (US) on August 2, 2022 Posted in Compliance and risk management, Cybersecurity

The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies. The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth … Continue reading

New PCI DSS v4.0 – Flexibility added

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 16, 2022 Posted in Cybersecurity

On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on March 16, 2022 Posted in Cybersecurity, Data breach, Ransomware

On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

By Will Daugherty (US) and Kate Nelson (US) on March 4, 2022 Posted in Cybersecurity

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on December 13, 2021 Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions

On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

The SEC announced enforcement actions against three sets of advisers for alleged failures in cybersecurity policies that violate the Safeguards Rule.… Continue reading

Proposed “Cyber Incident Reporting for Critical Infrastructure Act of 2021”

By Will Daugherty (US) and Susan Ross (US) on August 31, 2021 Posted in Cybersecurity

On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report … Continue reading

President Biden’s Executive Order on improving the nation’s cybersecurity

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 19, 2021 Posted in Cybersecurity

On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector. The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. The Executive Order also … Continue reading

Incentivizing public utilities to enhance cybersecurity: FERC’s proposed regulation

By Will Daugherty (US) and Susan Ross (US) on February 11, 2021 Posted in Cybersecurity

On February 5, 2021, the Federal Energy Regulatory Commission (“FERC”) published proposed regulations in the Federal Register that would provide federal financial incentives to utilities that voluntarily increase certain cybersecurity measures above those required by the Critical Infrastructure Protection Reliability Standards (“CIP Reliability Standards”) or by the NIST, Framework for Improving Critical Infrastructure Cybersecurity (“NIST … Continue reading