Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.

(more…)

FTC Proposes Significant and Sweeping Changes to COPPA and Requests Public Comment

On January 11, 2024, the Federal Trade Commission (“FTC”) published its Notice of Proposed Rule Making (“NPRM”) seeking to update the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule in the Federal Register.  Among other things, the proposed changes would require more granular privacy notices, require fairly detailed identification of, and parental consent to, third-party data sharing (including targeted advertising), expand the scope of personal information subject to COPPA, make it easier for parents to provide consent via text message, clarify various requirements around EdTech, including school authorization for parental consent, and impose significant new programmatic information security and data retention requirements.

(more…)

UK Publishes Cyber Governance Code of Practice for Consultation

On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience. The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre. The UK government is seeking views from organizations on the draft Code by 19 March 2024.

(more…)

New Export Controls on Advanced Computing and Semiconductor Manufacturing: Five Key Takeaways

On October 25, 2023, the U.S. Department of Commerce Bureau of Industry and Security (BIS) published updated export controls on advanced computing items and semiconductor manufacturing equipment under the Export Administration Regulations (EAR). Specifically, BIS published two interim final rules that revise and expand on the restrictions implemented in the initial interim final rule issued on October 7, 2022 (October 7, 2022 rule).1

(more…)

U.S. SEC Division of Exams Announces 2024 Examination Priorities

On October 16, 2023, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (EXAMS or Division) issued its annual examination priorities, which, for the first time, was published at the start of the SEC’s fiscal year to “better inform investors and registrants of key risks, trends, and examination topics” the Division intends to focus on in the coming year.1

(more…)

SEC’s Cybersecurity Disclosure Rules Are Here. Is Your Company Ready to Comply?

Companies are facing more attacks on their information systems. And, as their cyber risk skyrockets, the SEC has stepped in with new regulations, telling businesses what to disclose about these incidents — and requiring detailed disclosures on cyber risk management more broadly. With the deadline for compliance fast approaching, businesses are scrambling to mitigate their legal risk and comply with regulations that some say may be an overreach.

(more…)

U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date

On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.

(more…)

Cybersecurity and Environmental Fraud Top Priorities of U.S. Commodity Futures Trading Commission Division of Enforcement

Just before Americans began their Fourth of July holiday, the U.S. Commodity Futures Trading Commission (CFTC) Division of Enforcement Director announced that the division has established two key task forces: the Cybersecurity and Emerging Technologies and the Environmental Fraud Task Force.1 Both task forces will be staffed with attorneys and investigators across the Division of Enforcement with the goal of serving as subject matter experts and prosecuting cases. As a result, CFTC registrants should be prepared for heightened focus on cybersecurity and environmental fraud, particularly in the derivatives and relevant spot markets.

(more…)

Hong Kong New PCPD Guidance on Handling Data Breaches

On June 30, 2023, Hong Kong’s data protection authority (the Office of the Privacy Commissioner for Personal Data, or PCPD) issued an updated version of its Guidance on Data Breach Handling and Data Breach Notifications (the Guidance, accessible here), which aims to guide companies on how they respond to data breaches. In particular, the Guidance contains a new recommendation for companies to adopt written data breach response plans.

(more…)

SEC Delays Enactment of Cyber Rules Related to Investment Adviser and Public Companies to October 2023, Updates Timeline to April 2024 for Recently Proposed Cybersecurity Rules

On June 13, 2023, the Office of Management and Budget released its Spring 2023 Unified Agenda of Regulatory and Deregulatory Actions, which includes updates on Securities and Exchange Commission (“SEC”) proposed rules.  The SEC pushed back  its estimate for the final action date to October 2023 for its proposed cybersecurity rules related to public companies, as well as for its investment advisers and funds proposal.  Notably, the SEC’s timelines are typically estimates for implementation, and the proposed rules could be introduced sooner or later than these dates. However, the updated timeline indicates that the SEC is prioritizing finalizing its cybersecurity rules related to public companies and investment advisers and funds.

(more…)