US – Cyber security in flux

As October is Cybersecurity Awareness Month, it’s an appropriate time to provide an overview of the evolving cybersecurity obligations, guidance, and risks following recent regulatory developments and cyberattacks that regulators are seeking to address.

Our update here offers four critical takeaways for every business in managing their cybersecurity program.

Takeaway #1: Cybersecurity programs must be “real”, not “check-the-box.”

SEC Director Grewal remarked that “firms need to have real policies that work in the real world, and then they need to actually implement them; having generic ‘check-the-box’ cybersecurity policies simply doesn’t cut it.” For example, “real” cybersecurity education and training should be tailored not only to the applicable business and the risks that it faces, but also on a department-by-department basis to address each department’s particular responsibilities and risks.

Takeaway #2: Companies must regularly review and update their cybersecurity programs to keep up with constantly evolving threats.

The typical standard with respect to such “regular” review and update is “at least annual.” However, annually may not be enough. Companies will need to exercise judgement about when a significant or material change has impacted their business and altered their risk profile. They will need to respond in kind by conducting updated cybersecurity risk assessments and updating relevant policies and procedures.

Takeaway #3: Appropriate information must be reported, both internally and externally.

Examples of internal reporting obligations and principles in connection with the recent regulatory developments include the CPPA’s draft cybersecurity audit regulations, which would require that the audit’s findings be reported to the business’s board of directors. Added to this are the numerous external reporting obligations, including a number of new obligations set out in our update.

Takeaway #4: Individuals whose personal data is compromised are NOT the only victims

Director Grewal indicated that “When there are cyberattacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents.”

Similarly, class action lawsuits arising out of cybersecurity incidents have been filed not just on behalf of affected “consumers” whose personal data was compromised (e.g., in connection with the Estée Lauder, MGM Resorts, and Caesars Entertainment cyberattacks), but also on behalf of investors in the company targeted by the cyberattack (e.g., in connection with the SolarWinds cyberattack).


Read more in our update here