Photo of Stephen Lilley

Stephen Lilley is a partner in the Washington DC office of Mayer Brown. He focuses his practice on helping clients navigate cutting-edge and interrelated litigation, regulatory, and policy challenges. A member of the firm’s Litigation and Cybersecurity & Data Privacy practices, Stephen develops strategies to manage legal risks and to shape regulatory policy across a broad range of substantive areas.

Stephen has significant experience working with clients to identify, evaluate, and manage cybersecurity and data privacy risks; responding to cyber incidents and vulnerability disclosures; and defending businesses in related litigation. Stephen is regularly called upon to advise senior executives and board members on their most challenging cybersecurity risks, to help companies develop governance programs to mitigate those risks, and to lead training exercises to implement and refine those programs. Stephen has particular experience advising on cybersecurity and national security issues relating to the Internet of Things, including vehicles and medical devices, and to manufacturing, critical infrastructure, and other industrial systems. Widely recognized for his cybersecurity law and policy experience, Stephen previously served as Chief Counsel to the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism, where he focused on cybersecurity issues.

Read Stephen's full bio.

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls.

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and

On October 30, 2023, President Joe Biden issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intellence (the “AI EO”). Directing numerous actions by federal agencies, the AI EO reflects the Biden Administration’s intent to employ a range of legal and policy tools to promote US leadership on artificial

On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on

Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.

Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR

Recent high-profile cyber incidents involving exploitation of software vulnerabilities—such as the SolarWinds and MOVEit incidents—have increased scrutiny of the security of the software upon which corporate and government customers rely. Though phishing and social engineering continue to be leading causes of cyber incidents, there is growing potential legal exposure for companies from security vulnerabilities in

Last week, the government announced two sets of proposed revisions to the Federal Acquisition Regulation (FAR) to improve the cybersecurity of the government’s information systems. Both sets of revisions relate to President Biden’s May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity.

First, the Department of Defense (DoD), the General Services Administration

On August 8, 2023, the National Institute of Standards and Technology (“NIST”) released a draft of The NIST Cybersecurity Framework (CSF) 2.0,1 (the “CSF” or “Framework”) along with a Discussion Draft of the Implementation Examples.2 This draft makes the most significant changes to the Framework since its initial release in 2014.

On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC”) issued a release, adopting final rules (the “Final Rules”) aimed at standardizing and enhancing disclosure relating to cybersecurity incidents and risk management processes. The SEC had proposed rules (the “Proposed Rules”) on March 9, 2022. The Final Rules reflect the considerable comments received

On July 18, 2023, the Biden-Harris Administration announced its “U.S. Cyber Trust Mark” initiative.1 Under this program, the Federal Communications Commission (FCC) will establish a voluntary certification and labeling program to guide and inform consumers purchasing Internet of Things (IoT) devices such as “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart

On July 19, 2023, the Office of the National Cyber Director (ONCD) issued a request for information (RFI) on cybersecurity regulatory harmonization.1 The RFI is intended to be a step toward the Biden Administration’s goal, as stated in the National Cybersecurity Strategy, to “harmonize not only regulations and rules, but also assessments and audits