On November 8, 2023 Paul Hastings hosted the Cybersecurity Law Workshop with a panel on new cybersecurity regulations and guidance at this Fall’s Privacy+Security Forum. The panel was moderated by Paul Hastings Senior Privacy Director and Deputy Chief Privacy Officer Jeremy Berkowitz, and featured Johnathan Rudy (Senior Corporate Counsel, Cybersecurity & Data Protection, Transunion), and Spencer Fisher (Chief Counsel, Department of Homeland Security, Cybersecurity & Infrastructure Security Agency).

The panel provided an overview of Federal cybersecurity rules and updates, originating from the Securities Exchange Commission (“SEC”) and the New York Department of Financial Services (“NYDFS”). Panelists also led a discussion on cybersecurity updates at the state level, the White House’s recent AI Executive Order (which we discussed in a previous blog post), the Department of Homeland Security’s Secure-by-Design Guidance, and cyber incident reporting to the Federal Government.

Here are some of the main takeaways from the panel—

Cybersecurity Regulations. The panel began with a discussion of the newly adopted July 2023 SEC disclosure requirements for cybersecurity risk, management strategy, governance, and incident reporting for public companies. Panelists explained that the requirements for incident reporting now necessitate that organizations disclose cybersecurity incidents in real time via Form 8-K or Form 6-K. Panelists noted there is still a bit of a learning curve for entities in terms of disclosing information they previously did not have to make public. Disclosure requirements regarding risk management, strategy, and governance now include a stronger emphasis on the role of the board of directors and their oversight of risk in cybersecurity.

The NYDFS adopted its updated Part 500 Regulations last week with revisions in the areas of notification obligations, class A companies, and governance as follows:

• Notification obligations include that NYDFS be notified within 24 hours for extortion payments.
• Obligations for class A companies (NYDFS-regulated businesses that either (a) have over 2,000 employees, or (b) have over $1 billion in gross annual revenue) to include independent audits by internal or external auditors, implementation of a privileged access management solution and methods for automatically blocking commonly used passwords, and implementation of endpoint detection tools and other solutions to monitor and log potentially unauthorized activity.
• Governance updates include that Chief Information Security Officers (“CISO”) must report to their senior governing body (e.g., board) or other senior executives on material cybersecurity issues.
   

State Law (California). Panelists discussed the California Privacy and Protection Agency’s September 2023 rulemaking requiring businesses to conduct annual cybersecurity audits and risk assessments where processing personal data involves “significant risk to consumers’ privacy.” Annual security audits apply to businesses who derive 50 percent or more of annual revenue or who have at least $25 million in revenue and process a certain number of consumer records. Topics in annual audits include, but are not limited to, access controls, authentication, assessment, hardware configuration, and incident response. Panelists noted that the audits would benefit companies’ privacy risk practices, regardless if it is required. Additionally, panelists explained that annual cybersecurity risk assessments apply in multiple scenarios such as where businesses sell or share personal information, process sensitive personal information, and process customer personal information for AI or automated decision-making purposes. The draft rules further provide proposed elements of each risk assessment, which include a detailed description of processing activity and data used along with associated benefits and negative impacts.

Harmonization of Incident Reporting to the Federal Government. Panelists highlighted the challenges that arise with incident reporting to the Federal Government, such as competing deadlines and varying requirements. In response to this issue, just last month, DHS released guidance proposing streamlining Federal Government incident reporting requirements. As part of this guidance, DHS addressed recommendations on definitions, reporting, and notices. For example, panelists highlighted the importance of uniform timelines for incident reporting as opposed to duplicative and conflicting timelines.

Artificial Intelligence. Panelists discussed the recent AI Executive Order and the intersectionality between AI and cybersecurity in the United States. For example, the Cybersecurity and Infrastructure Security Agency is evaluating the ways in which AI technologies can assist with advancing cybersecurity tools in the Federal Government. Additionally, panelists recommended that companies engaging in AI technology should evaluate the various aspects of AI and consider different use-cases before incorporating such technologies into their businesses.

What Companies Should Do Now:

Based on the issues discussed above, organizations should consider taking the following steps:

• Update documentation to account for new policy and procedure requirements.
• Examine cybersecurity policies and procedures to manage the cybersecurity program and report on material issues as needed.
• Implement policies and procedures for CISOs reporting to senior executive bodies, such as a board of directors, on material cybersecurity issues.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. This Fall’s Forum took place from November 8-10^th in Washington, D.C.

If you have any questions about the issues discussed in this blog post, please do not hesitate to contact any member of our team.