Tag Archives: cybersecurity

EU Cybersecurity Act gets the green light!

On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union.  The Cybersecurity Act will come into force on 27 … Continue Reading

FERC requests comments on proposed new CIP Reliability Standard regulating the transmission of data between control centers

On April 18, 2019, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) requesting comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1. As written, CIP-012-1 will require responsible entities to implement controls to protect communication links and data transmissions in an effort to mitigate cybersecurity risks to communications between … Continue Reading

The European Parliament adopts first stance to proposed EU Cybersecurity Act

On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act. Initiatives to build strong EU-wide cybersecurity The … Continue Reading

Draft amendments to China’s personal information standards proposed

China’s National Information Security Standardization Technical Committee issued draft amendments (Amendments) to the standards that govern the protection of personal information, “Information Security Technology – Personal Information Security Specification” (Standards, effective May 1, 2018) on February 1, 2019. The Standards provide guidance on interpreting China’s Cybersecurity Law (CSL) and set out best practices for the … Continue Reading

NERC enforcement action provides guidance to electric industry for compliance with the Critical Infrastructure Protection Reliability Standards

On January 25, 2019, a settlement agreement was reached between a utility company, which allegedly violated the Critical Infrastructure Protection (CIP) Reliability Standards, and the North American Reliability Corporation (NERC). Through this settlement, NERC provides guidance to the electric industry for compliance with the CIP Reliability Standards. The substantial penalties should prompt companies to educate … Continue Reading

Electric industry should focus efforts in 2019 to meet additional cybersecurity and supply chain requirements

In late 2018, the Federal Energy Regulatory Commission (FERC) published a final rule updating and adding to the Critical Infrastructure Protection (CIP) Reliability Standards, which are intended to help protect the bulk electric system (BES) in North America against cybersecurity risks. The final rule: Creates a new Supply Chain Risk Management Reliability Standard (CIP-013-1) Updates … Continue Reading

Singapore announces series of initiatives to boost cybersecurity in the telecoms sector

Singapore has set up a new Telecom Cybersecurity Strategic Committee (TCSC) to develop a plan to tackle ‘next-generation cyber threats’ in the telecommunications sector. The committee is expected to publish a strategy report and outline a roadmap for telecommunications operators to develop cybersecurity capabilities later in 2019. The report and roadmap will include recommendations for … Continue Reading

Informal agreement reached on EU cybersecurity proposal

On 10 December 2018, the European Parliament, the Council of the European Union, and the European Commission reached agreement on the cybersecurity proposal put forward by the Commission. The aim of the Commission’s proposal is to build strong cybersecurity standards in the EU, allowing the EU to become a global leader in cybersecurity. The proposal … Continue Reading

Highlighting the “SEC” in cybersecurity: Continued regulatory focus on preparedness and response

In recent months, the U.S. Securities and Exchange Commission (“SEC”) has emphasized cybersecurity as both an enforcement priority and corporate responsibility, demonstrating its continued focus on the need for issuers to have sufficient measures in place, including up-to-date compliance and incident response programs in order to maintain the integrity of the capital market system. The … Continue Reading

FDA revamps cybersecurity guidance for marketed medical devices

The Food and Drug Administration (FDA) published a draft update to its premarket cybersecurity guidance for device makers on October 18, 2018. The expanded draft guidance includes recommendations on tiered classification of cybersecurity risk, trustworthiness, cybersecurity bill materials, and device cybersecurity labeling that are specific enough to be helpful to manufacturers while at the same … Continue Reading

The new China cybersecurity inspection regulation broadens PSB authority

China’s new “Regulation on the Internet Security Supervision and Inspection by Public Security Organs” went into effect on November 1, 2018. It is the latest regulation passed by China’s Ministry of Public Security that executes China’s Cybersecurity Law, which took effect in June of last year. The regulation gives China’s Public Security Bureaus (PSBs) broad … Continue Reading

DOJ issues updated best practices on cyber incidents; incorporates CISA

On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and … Continue Reading

Monetary Authority of Singapore panel urges financial institutions to adopt cybersecurity measures

An international cybersecurity advisory panel formed by the Monetary Authority of Singapore (MAS) has recommended that all financial institutions in Singapore ensure that data stored on the public cloud is kept secure, and that they perform cybersecurity risk assessments on their third-party providers. These proposals were raised at the panel’s second annual meeting, after its … Continue Reading

Southeast Asian nations to form regional framework for cybersecurity cooperation

The Association of Southeast Asian Nations (ASEAN) announced last week that it will create a rules-based framework for its 10 member states to cooperate on cybersecurity matters. The 10 ASEAN members are Singapore (which is the chair for ASEAN this year), Malaysia, Indonesia, the Philippines, Thailand, Vietnam, Brunei, Myanmar, Laos and Cambodia. Singapore is expected … Continue Reading

The UK responds to NISD consultation

The government has published its response to the April 2018 targeted consultation on the Security of Network and Information Systems Directive (NISD). The targeted consultation specifically addressed how NISD will apply to Digital Service Providers (DSPs) in the UK, focusing on the identification of DSPs, security measures and further guidance. This follows the government’s public … Continue Reading

September 4, 2018: NYDFS Cybersecurity Regulation Compliance date arrives

As of today, Covered Entities are expected to be compliant with additional provisions under the New York State Department of Financial Services (NYDFS) cybersecurity regulation. A “Covered Entity” is any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, … Continue Reading

EU to create a cybersecurity certification framework

To enhance cyber resilience, the EU is building a certification framework for information and communication technology (ICT) products, services and processes. On 8 June 2018, the Council agreed a Proposal (known as the Cybersecurity Act) to prepare for negotiations with the European Parliament to finalise the text. One of the effects of the Proposal is … Continue Reading

Network and Information Systems Regulations 2018 come into force in the UK and government cybersecurity survey is published

On 10 May 2018, the Network and Information Systems Regulations 2018 (NISR) came into force in the UK. NISR stems from the Network Information Systems Directive 2016 of the EU, which has been covered by this blog previously. Relatedly, on 25 April 2018, the UK government’s Department for Digital, Culture, Media and Sport (DCMS) published … Continue Reading

Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and … Continue Reading

Keys to the City: Recent developments in New York City address cybersecurity risks

In the wake of recent cyberattacks, cities and states are taking a stand. On March 29, New York City (the City) Mayor Bill de Blasio announced NYC Secure, an initiative that will include a suspicious activity alert app for residents and security upgrades to the City’s public Wi-Fi networks.[1]The initiative is intended as a citywide … Continue Reading

UK government publishes response to its consultation on the Directive on security of networks and information systems

The UK government has published its response to a public consultation on the EU Directive on security networks and information systems (NIS Directive) that opened in August last year. The response sets out the UK’s vision for improving the security of the UK’s essential services by implementing the NIS Directive. The NIS Directive The NIS … Continue Reading

Study identifies cybersecurity and privacy shortcomings in health apps

A recent study conducted by researchers at the University of Piraeus, published in the Institute of Electrical and Electronics Engineers’ Access journal (29 January 2018), has indicated that many popular health apps have significant privacy and cybersecurity failings; many of them do not follow standard practices nor will they comply with the upcoming General Data … Continue Reading

An interview with Indiana AG Curtis Hill

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Indiana Attorney General Curtis Hill. AG Hill has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams, along with continuing to take a hard line … Continue Reading

Guiding light: SEC adopts updated cybersecurity guidance

Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that … Continue Reading
LexBlog