This quarterly report provides updates on cyber regulations issued by various regulatory bodies, such as the U.S. Securities and Exchange Commission and the New York Department of Financial Services. It also highlights recent developments in the EU-U.S. Data Privacy Framework, notable enforcement actions, and expert perspectives.
Regulatory Updates
U.S. Securities and Exchange Commission: In March 2022, a proposed rule was introduced that would require public companies to disclose cybersecurity incidents within four business days of determining their materiality. The rule would also necessitate additional information about the incidents, including ongoing status, date of occurrence, data loss details, and remediation measures. Although initially expected to be finalized in April 2023, there have been no further updates regarding the final rulings, scope, and important dates.
New York Department of Financial Services Part 500: The finalization date for the amendment proposed to NYDFS Part 500, which aims to redefine the term “risk assessment,” has not been determined yet.
EU-U.S. Privacy Framework: On May 11, 2023, the European Parliament conducted a plenary session where a resolution concerning the adequacy of the EU-U.S. Data Privacy Framework was adopted. The resolution urges ongoing negotiations between the European Commission and the U.S. However, the new framework has not been officially finalized as EU officials contend that the U.S. government has yet to fully implement its obligations.
Network and Information Security Directive 2: The NIS2 Directive (EU) 2022/2555 became effective in January 2023. Member states must adopt the directive’s provisions by October 17, 2024. By April 17, 2025, all member states will be required to have established a comprehensive list of covered entities, promoting cyber crisis management, harmonization in security requirements, reporting obligations, and addressing supply chain and vulnerability management concerns.
Other Regulations
Food & Drug Administration: In March 2023, the Consolidated Appropriations Act, also known as the Omnibus, was implemented. Section 3305 of this act mandates that medical device manufacturers include details about their cybersecurity measures when submitting applications for regulatory clearance. The FDA has announced that these requirements will be enforced starting in October 2023.
Digital Operational Resilience Act (DORA): The European Union passed DORA in January 2023, with a two-year implementation window. Entities must be compliant by January 2025. DORA focuses on financial institutions and aims to safeguard against incidents related to information communication technologies. Financial institutions will be required to establish a comprehensive ICT risk management framework, conduct regular operational resilience testing, and include specific provisions in contracts with third-party ICT providers.
Product Security and Telecommunications Infrastructure Act: From April 2024, the U.K. will enforce the Product Security and Telecommunications Infrastructure Act to ensure minimum protections against cybersecurity risks associated with devices. The act prohibits the use of universal default and easily guessable passwords on consumer products and requires companies to disclose the duration of security updates. Manufacturers must provide contact information for reporting device vulnerabilities.
Notable Enforcement Actions
Meta Platforms: Irish regulators fined Meta Platforms a record-breaking $1.3 billion for transferring user data to the U.S. This penalty highlights the need for the U.S. government to finalize an agreement allowing multinational companies to continue such data transfers. Stricter enforcement is expected, emphasizing the risks of violating the EU’s privacy rules.
BitFlyer: BitFlyer, a cryptocurrency exchange, entered into a consent order with the NYDFS due to deficiencies found in its cybersecurity program. This suggests further enforcement measures are likely in the future.
Expert Insight
Bob Chaput, founder and executive chairman of the board of Clearwater Compliance, a risk and compliance solution provider, identified several challenges companies will face in complying with the new SEC rule on cybersecurity risk management, strategy, governance, and incident disclosure.
Chaput explained that the complexity of the regulations can create confusion and hinder effective implementation. He emphasized that cybersecurity is unfamiliar to many C-suite executives and board members, making it difficult for them to understand the requirements and meet deadlines.
Chaput highlighted the challenge of identifying and reporting cybersecurity incidents, especially for individuals with limited knowledge of the subject. He also mentioned the SEC’s requirement for disclosing board expertise in cybersecurity.
To address these challenges, Chaput recommends establishing automated data collection, analysis, and reporting systems, implementing clear data management policies and procedures, and investing in training and education programs to enhance employees’ understanding of SEC rules and compliance requirements.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
