On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience. The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre. The UK government is seeking views from organizations on the draft Code by 19 March 2024.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2024-02-12 09:04:102024-02-12 09:31:40UK Publishes Cyber Governance Code of Practice for Consultation
Last week, the U.S. Department of Commerce published a notice of proposed rulemaking (NPRM) implementing Executive Orders (EO) 13984 and 14110 to prevent “foreign malicious cyber actors” from accessing U.S. infrastructure as a service products1 (IaaS Rule). The IaaS Rule seeks to strengthen the U.S. government’s ability to track “foreign malicious cyber actors” who have relied on U.S. IaaS products to steal intellectual property and sensitive data, engage in espionage activities, and threaten national security by attacking critical infrastructure.
The staff of the Commodity Futures Trading Commission (CFTC) is seeking public comment (the Request for Comment) on the risks and benefits associated with use of artificial intelligence (AI) in the commodity derivatives markets. According to the Request for Comment, the staff “recognizes that use of AI may lead to significant benefits in derivatives markets, but such use may also pose risks relating to market safety, customer protection, governance, data privacy, mitigation of bias, and cybersecurity, among other issues.”
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00W. Hardy Callcotthttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngW. Hardy Callcott2024-02-07 14:33:022024-02-07 14:33:02U.S. CFTC Seeks Public Input on Use of Artificial Intelligence in Commodity Markets and Simultaneously Warns of AI Scams
On 22 January 2024, an unofficial version of the (presumed) final EU Artificial Intelligence Act (“AI Act”) was released. The AI Act reached political agreement early December 2023 (see our blog post here) and had undergone technical discussions to finalize the text since. It was reported that the document was shared with EU Member State Representatives on 21 January 2024, ahead of a discussion within the Telecom Working Party, a technical body of the EU Council on 24 January 2024, and that formal adoption at the EU Member State ambassador level (i.e. COREPER) will likely follow on 2 February. On Friday 26 January 2024, the Belgian Presidency of the Council officially shared the (analysis of the) final compromise text of the AI Act with Member State representatives – clearly indicating that this text will be put forward for adoption.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-15.jpg607834William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2024-02-01 10:23:312024-02-28 10:36:17Unofficial Final Text of EU AI Act Released
Join Sidley and OneTrust DataGuidance for a reactionary webinar on the recently published, near-final text of the EU AI Act on February 5, 2024. This discussion with industry panelists will cover initial reactions to the text of the EU AI Act following finalization by EU legislators and examine the key points in the AI Act that businesses need to understand.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2024-01-30 16:14:072024-02-08 17:26:59Preparing for the EU AI Act: Part 2
On January 17, 2024, the New York Department of Financial Services (NYDFS) entered into a consent order with Industrial and Commercial Bank of China Ltd. (ICBC or the Bank), resolving a matter in which ICBC’s New York branch disclosed confidential supervisory information (CSI) without authorization. The order includes a civil monetary penalty of $30 million. Two days later, the Board of Governors of the Federal Reserve System (Federal Reserve) entered into a consent cease-and-desist order with ICBC and its New York branch that includes a fine of approximately $2.4 million for the unauthorized disclosure of CSI. The Federal Reserve specifically noted that its action was taken in conjunction with the prior action of NYDFS.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Joel D. Feinberghttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngJoel D. Feinberg2024-01-24 13:02:372024-01-24 13:02:37Federal and State Regulators Fine Foreign Bank for Unauthorized Disclosure of Confidential Supervisory Information
On 30 November 2023, the EU reached political agreement on the Cyber Resilience Act (“CRA”), the first legislation globally to regulate cybersecurity for digital and connected products that are designed, developed, produced and made available on the EU market. The CRA was originally proposed by the European Commission in September 2022. Alongside the recently adopted Data Act, Digital Operational Resilience Act (“DORA”), Critical Entities Resilience Act (“CER”), Network and Information Systems Security 2 Directive (“NISD2”) and Data Governance Act, the CRA builds on the EU Data and Cyber Strategies, and complements upcoming certification schemes, such as the EU Cloud Services Scheme (“EUCS”) and the EU ICT Products Scheme (“EUCC”). It responds to an increase in cyber-attacks in the EU over the last few years – in particular the rise in software supply chain attacks which have tripled over the last year –as well as the significant rise in digital and connected products in daily life which magnifies the risk of such attacks.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-13.jpg607834William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2024-01-22 12:07:302024-02-06 12:39:12EU Reaches Political Agreement on Cyber Resilience Act for Digital and Connected Products
The National Association of Insurance Commissioners (NAIC) held its Fall 2023 National Meeting (Fall Meeting) from November 30 through December 4, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Fall Meeting. Highlights include adoption of a new model bulletin addressing the use of artificial intelligence in the insurance industry, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and continued discussion of considerations related to private equity ownership of insurers.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Stephanie H. Dobeckihttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngStephanie H. Dobecki2024-01-09 12:03:012024-01-09 12:09:47Regulatory Update: National Association of Insurance Commissioners Fall 2023 National Meeting
UK Publishes Cyber Governance Code of Practice for Consultation
On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience. The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre. The UK government is seeking views from organizations on the draft Code by 19 March 2024.
(more…)
Francesca Blythe
London
fblythe@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Matthias Bruynseraede
London
mbruynseraede@sidley.com
New Know-Your-Customer and Reporting Rules Proposed for Cloud Providers: Five Key Takeaways
Last week, the U.S. Department of Commerce published a notice of proposed rulemaking (NPRM) implementing Executive Orders (EO) 13984 and 14110 to prevent “foreign malicious cyber actors” from accessing U.S. infrastructure as a service products1 (IaaS Rule). The IaaS Rule seeks to strengthen the U.S. government’s ability to track “foreign malicious cyber actors” who have relied on U.S. IaaS products to steal intellectual property and sensitive data, engage in espionage activities, and threaten national security by attacking critical infrastructure.
(more…)
Jen Fernandez
Washington, D.C.
jen.fernandez@sidley.com
Kayla M. Scott
Heather Hedges
Allison V. Reading
Washington, D.C.
areading@sidley.com
U.S. CFTC Seeks Public Input on Use of Artificial Intelligence in Commodity Markets and Simultaneously Warns of AI Scams
The staff of the Commodity Futures Trading Commission (CFTC) is seeking public comment (the Request for Comment) on the risks and benefits associated with use of artificial intelligence (AI) in the commodity derivatives markets. According to the Request for Comment, the staff “recognizes that use of AI may lead to significant benefits in derivatives markets, but such use may also pose risks relating to market safety, customer protection, governance, data privacy, mitigation of bias, and cybersecurity, among other issues.”
(more…)
W. Hardy Callcott
San Francisco
wcallcott@sidley.com
Nathan A. Howell
Chicago
nhowell@sidley.com
Kate Lashley
Miami, New York
klashley@sidley.com
Unofficial Final Text of EU AI Act Released
On 22 January 2024, an unofficial version of the (presumed) final EU Artificial Intelligence Act (“AI Act”) was released. The AI Act reached political agreement early December 2023 (see our blog post here) and had undergone technical discussions to finalize the text since. It was reported that the document was shared with EU Member State Representatives on 21 January 2024, ahead of a discussion within the Telecom Working Party, a technical body of the EU Council on 24 January 2024, and that formal adoption at the EU Member State ambassador level (i.e. COREPER) will likely follow on 2 February. On Friday 26 January 2024, the Belgian Presidency of the Council officially shared the (analysis of the) final compromise text of the AI Act with Member State representatives – clearly indicating that this text will be put forward for adoption.
(more…)
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Lauren Cuyvers
Subhalakshmi Kumar
Preparing for the EU AI Act: Part 2
Join Sidley and OneTrust DataGuidance for a reactionary webinar on the recently published, near-final text of the EU AI Act on February 5, 2024. This discussion with industry panelists will cover initial reactions to the text of the EU AI Act following finalization by EU legislators and examine the key points in the AI Act that businesses need to understand.
(more…)
William RM Long
London
wlong@sidley.com
Lauren Cuyvers
Federal and State Regulators Fine Foreign Bank for Unauthorized Disclosure of Confidential Supervisory Information
On January 17, 2024, the New York Department of Financial Services (NYDFS) entered into a consent order with Industrial and Commercial Bank of China Ltd. (ICBC or the Bank), resolving a matter in which ICBC’s New York branch disclosed confidential supervisory information (CSI) without authorization. The order includes a civil monetary penalty of $30 million. Two days later, the Board of Governors of the Federal Reserve System (Federal Reserve) entered into a consent cease-and-desist order with ICBC and its New York branch that includes a fine of approximately $2.4 million for the unauthorized disclosure of CSI. The Federal Reserve specifically noted that its action was taken in conjunction with the prior action of NYDFS.
(more…)
Joel D. Feinberg
Washington, D.C.
jfeinberg@sidley.com
Michael D. Lewis
Washington, D.C.
michael.lewis@sidley.com
Joan M. Loughnane
New York
jloughnane@sidley.com
Michael D. Mann
New York
mmann@sidley.com
Timothy J. Treanor
Laura Sorice
EU Reaches Political Agreement on Cyber Resilience Act for Digital and Connected Products
On 30 November 2023, the EU reached political agreement on the Cyber Resilience Act (“CRA”), the first legislation globally to regulate cybersecurity for digital and connected products that are designed, developed, produced and made available on the EU market. The CRA was originally proposed by the European Commission in September 2022. Alongside the recently adopted Data Act, Digital Operational Resilience Act (“DORA”), Critical Entities Resilience Act (“CER”), Network and Information Systems Security 2 Directive (“NISD2”) and Data Governance Act, the CRA builds on the EU Data and Cyber Strategies, and complements upcoming certification schemes, such as the EU Cloud Services Scheme (“EUCS”) and the EU ICT Products Scheme (“EUCC”). It responds to an increase in cyber-attacks in the EU over the last few years – in particular the rise in software supply chain attacks which have tripled over the last year –as well as the significant rise in digital and connected products in daily life which magnifies the risk of such attacks.
(more…)
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Lauren Cuyvers
Mhairi Caminiti
Trainee Solicitor
mhairi.cameroncaminiti@sidley.com
Regulatory Update: National Association of Insurance Commissioners Fall 2023 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Fall 2023 National Meeting (Fall Meeting) from November 30 through December 4, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Fall Meeting. Highlights include adoption of a new model bulletin addressing the use of artificial intelligence in the insurance industry, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and continued discussion of considerations related to private equity ownership of insurers.
(more…)
Stephanie H. Dobecki
Chicago
sdobecki@sidley.com
Ellen M. Dunn
New York
edunn@sidley.com
Andrew R. Holland
New York
aholland@sidley.com
Michael L. Rosenfield
Los Angeles
mrosenfield@sidley.com
Chris H. Burusco
Los Angeles
cburusco@sidley.com
Sara N. Africano
Chicago
safricano@sidley.com
Jacob A. Grossman
Chicago
jgrossman@sidley.com
Upcoming Events
AI and Patent Law: Navigating a Changing Landscape
Resources