Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.Continue Reading FBI Offers Pathway to Request Delay of SEC Cybersecurity Incident Disclosures
Matthew B. Welling
Matthew B. Welling is a partner in Crowell & Moring's Washington, D.C. office, where he practices in the firm's Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.
Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack
On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations. The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.Continue Reading Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack
Five Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies
On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. Continue Reading Five Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies
Impacts of the National Cybersecurity Strategy on Government and Private Sector Collaboration
On March 2, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy.[i] The highly anticipated Strategy has illuminated that a more overt and aggressive approach to mitigating cyber risks may be necessary to drive real change, leading to the anticipation of increased communication and partnerships between private companies and government agencies.[ii] The…
Biden Administration Releases Comprehensive National Cybersecurity Strategy
On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”
Summary and Analysis
The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security…
Cyber and Physical Attacks on the Electric Grid Should Prompt New Year’s Resolutions for the Energy Industry
This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.
Federal regulators are taking notice. On December 7…
SAFETY ACT LIABILITY PROTECTIONS WILL BE TESTED
After over a decade, the first action has been filed that may test the bounds of the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”) of 2002. MGM Resorts International recently filed suit related to the October 2017 Mandalay Bay country music concert shooting, asking a federal court to rule that it cannot be…
Colorado’s New Data Privacy Bill Increases Notification and Safeguarding Requirements
The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents. Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney…
Seventh Circuit Revives Data Breach Case Despite No Evidence Of Monetary Harm
The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches. The case relates to a 2012 incident where Barnes & Noble discovered…
FERC Proposes to Require Expanded Cyber Security Incident Reporting
The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory. FERC’s goal is to enhance the awareness of…