Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.

Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR

Recent high-profile cyber incidents involving exploitation of software vulnerabilities—such as the SolarWinds and MOVEit incidents—have increased scrutiny of the security of the software upon which corporate and government customers rely. Though phishing and social engineering continue to be leading causes of cyber incidents, there is growing potential legal exposure for companies from security vulnerabilities in

Last week, the government announced two sets of proposed revisions to the Federal Acquisition Regulation (FAR) to improve the cybersecurity of the government’s information systems. Both sets of revisions relate to President Biden’s May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity.

First, the Department of Defense (DoD), the General Services Administration

Today, the UK Department for Science, Innovation and Technology announced further details on the new transatlantic data flow mechanism for UK-to-US personal data transfers. In particular, the UK Secretary of State for Science, Innovation, and Technology today laid new adequacy regulations before the UK Parliament to give effect to the proposed arrangement. The deal, announced

On August 8, 2023, the National Institute of Standards and Technology (“NIST”) released a draft of The NIST Cybersecurity Framework (CSF) 2.0,1 (the “CSF” or “Framework”) along with a Discussion Draft of the Implementation Examples.2 This draft makes the most significant changes to the Framework since its initial release in 2014.

Oregon has joined 10 other states in enacting a comprehensive data privacy law.1 On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (the “Oregon Privacy Law”) into law. The law imposes a range of new data privacy requirements on non-exempt controllers and processors of Oregon consumer personal data. The Oregon

On July 18, 2023, the Biden-Harris Administration announced its “U.S. Cyber Trust Mark” initiative.1 Under this program, the Federal Communications Commission (FCC) will establish a voluntary certification and labeling program to guide and inform consumers purchasing Internet of Things (IoT) devices such as “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart

On July 19, 2023, the Office of the National Cyber Director (ONCD) issued a request for information (RFI) on cybersecurity regulatory harmonization.1 The RFI is intended to be a step toward the Biden Administration’s goal, as stated in the National Cybersecurity Strategy, to “harmonize not only regulations and rules, but also assessments and audits

The EU Digital Operational Resilience Act (“DORA”) entered into force in January 16, 2023, setting forth security requirements for network and information systems of organizations operating in the financial sector;

Obligations under DORA are to be further detailed by Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”), aimed at harmonizing requirements and facilitating implementation;

The New York Department of Financial Services (NYDFS) has proposed revisions to its cybersecurity regulation for banks, insurance companies and other financial services companies. The proposal significantly expands requirements for covered entities, including new requirements for larger companies, expanded governance requirements, additional notice and compliance certification requirements and more.

In this one-hour webinar, members of