Action Items for U.S. Public Companies for 2025
Rapid rulemaking and aggressive enforcement by the SEC, combined with legislative, judicial, and regulatory developments, have created new requirements and expectations for U.S. public companies.
Spotlight on Women in Privacy: Nathalie Barrera
Check out the December issue of Spotlight on Women in Privacy, featuring Nathalie Barrera. Nathalie discusses her role as a privacy attorney at Palo Alto Networks, the importance of continuous learning, and some of the key developments she will be watching out for.
UK Operational Resilience Rules: Are You Ready for 31 March 2025?
Several categories of UK financial services firms, including banks, insurers, electronic money institutions, and payment institutions, are required to comply with new requirements on operational resilience beginning 31 March 2025.
Looking Ahead to 2025 in EU Cybersecurity Developments
As 2024 draws to a close, we look ahead to notable upcoming cyber developments in the new year. From the adoption of new cyber laws to the initiation of infringement proceedings by the European Commission against a number of EU Member States for alleged failures to adequately implement the EU Network and Information Systems Security 2 Directive, the EU continues to emphasize cybersecurity in a rapidly evolving legal and technological environment. There are no signs of this momentum slowing down in 2025.
U.S. Department of Commerce Issues Proposed Rule on ICTS Supply Chain for Connected Vehicles
On September 26, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a long-awaited rule proposing to ban certain connected vehicles transactions involving hardware and software linked to the People’s Republic of China (China) and Russia. BIS also proposed extensive compliance obligations for importers and manufacturers of connected vehicles and related components, which come as the automotive industry continues to grapple with how to protect critical safety-related data as vehicle interconnectivity increases.
DOL Confirms Cybersecurity Guidance Applies to All Employee Benefit Plans
The U.S. Department of Labor (DOL) published Compliance Assistance Release No. 2024-01 on September 6, 2024. The release, titled “Cybersecurity Guidance Update,” clarifies that the cybersecurity guidance the DOL issued in April 2021 applies to all employee benefit plans, including health and welfare plans. The DOL states that since the guidance was published, service providers have told plan fiduciaries and Employee Benefits Security Administration (EBSA) investigators that the guidance applies only to retirement plans.
DORA – ESAs Publish Draft Technical Standards on ICT Subcontracting
On 26 July 2024, the European Supervisory Authorities (EBA, EIOPA and ESMA, collectively, the “ESAs”) published their joint final report on the draft Regulatory Technical Standards (“RTS”) specifying the elements that a financial entity should determine and assess when subcontracting ICT services supporting critical or important functions under Article 30(5) of the Digital Operational Resilience Act (“DORA”). The RTS are intended to assist with the enhancement of the digital operational resilience of the financial services sector by improving in-scope entities’ ICT risk management, specifically with respect to the issue of ICT subcontracting.
UK proposes New Cyber Security and Resilience Bill to Boost the UK’s Cyber Defences
During the King’s Speech on 17 July 2024, the newly appointed UK Prime Minister announced the UK Government’s intention to introduce a new Cyber Security and Resilience Bill to strengthen the UK’s defences against the global rise in cyberattacks and to protect the UK’s critical infrastructure. In background briefing notes published together with the King’s Speech, the UK Government stated that the new Cyber Security and Resilience Bill will “strengthen our defences and ensure that more essential digital services than ever before are protected.” According to the briefing notes, the Cyber Security and Resilience Bill intends to address the concern that the UK has not kept up-to-date with recent legislative advancements made by the EU in the cybersecurity space, resulting in the UK being “comparably more vulnerable.” Although the form of the proposed Cyber Security and Resilience Bill has yet to be released, the UK Government has indicated that it plans to introduce the bill in the coming months.
An Artificial Intelligence, Privacy, and Cybersecurity Update for Indian Companies Doing Business in the United States and Europe
Pivotal shifts have occurred in global data privacy, artificial intelligence (AI), and cybersecurity from executives facing more pressure to monitor their organizations’ cybersecurity operations, to an unprecedented wave of consumer data privacy laws and rapid advancements in AI technology use and deployment. Indian organizations should establish best practices to address these new (and emerging) laws, regulations, and frameworks.
Cybersecurity Takeaways From White House Tech Report
On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.
