The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator credentials in its July 2019 semi-annual report.
Continue Reading SEC Fine Highlights Importance of Cybersecurity Disclosures
The New York State Department of Financial Services recently announced new guidance addressing ransomware attacks, and highlighting cybersecurity measures to significantly reduce the risk of an attack. The guidance comes as ransomware rates have been increasing, and builds on the post SolarWinds guidance from NYDFS about supply chain management. It was released just prior to the most recent large attack, namely the July 2nd supply-chain ransomware attack centered on the U.S. information technology firm Kaseya.
Continue Reading NYDFS Issues Ransomware Guidance
The Department of Labor recently issued cybersecurity guidance to retirement plans. The department’s Employee Benefits Security Administration (EBSA) issued guidance in three areas: (1) hiring and working with vendors and service providers; (2) implementing an internal cybersecurity program for the plan; and (3) online security for plan participants and end-users.
Continue Reading Cybersecurity Guidance Issued to Retirement Plan Sponsors
NYDFS Issues Supply Chain Management Guidance
The New York State Department of Financial Services recently issued recommendations to financial institutions in the aftermath of the SolarWinds cyberattack. In that attack, hackers inserted malware into SolarWinds software which was then distributed to SolarWinds’ customers (many of which were financial institutions). After discovery, SolarWinds released a series of hot fixes to address vulnerabilities in their software associated with the attack. Although NYDFS found that most companies responded quickly to patch the vulnerabilities, it did identify additional steps to reduce supply chain risk:
Continue Reading NYDFS Issues Supply Chain Management Guidance
Cyberattacks have become big business from the standpoint of attackers. Threat actors range well beyond cults of old, and now including sophisticated state actors, large businesses organized for the very purpose of cyber breach and theft, and complex threat networks that aggregate information formerly treated as innocuous. This is a real risk for companies as we look forward to the remainder of 2021. At the same time, ransomware is changing the state of cyber insurance, with regulators across the globe entering the field to govern the conduct of attacked businesses in this climate. Regulations cover terms of ransom payments and subsequent obligations to persons whose information goes out the pipes. For more on these risks, you can listen to the recent Nota Bene podcast episode (on Apple Podcasts, Google Podcasts, Spotify, or Stitcher) with Sheppard Mullin partners Kari Rollins and Michael Cohen.
Continue Reading Managing the World of Cybersecurity in a New Era
As we reach the end of January 2021, it is becoming increasingly clear that this will be a busy year in the areas of privacy and data security. Following up on our posts discussing some of the important trends from last year, the Sheppard Mullin Privacy and Cyber Security team has put together a comprehensive resource containing all of our posts from last year. From a focus on artificial intelligence, to international data flow and vendor transfer concerns, to ongoing enforcement of a patchwork of laws, we anticipate many of the issues facing companies in 2020 will not go away this year.
Continue Reading 2020 Privacy Year In Review
NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B
The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.
Continue Reading Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base
Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title Insurance Co. as a result of a 2018 data breach exposing 850 million customer records containing sensitive personal information.
Continue Reading What the First Enforcement Action under NYDFS Cybersecurity Reg Means to Companies
On Friday, May 29, the Cybersecurity and Infrastructure Security Agency (CISA) issued the first in a series of six Cyber Essentials Toolkits. These toolkits are described as “bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential,” focused on building a company’s cyber readiness.
Continue Reading CISA Issues First Installment of Cyber Essentials
The Securities and Exchange Commission recently published a set of observations designed to assist financial market participants. While not legally binding, the observations are guideposts for investment companies, securities issuers, and others. They outline steps to improve cyber preparedness and to protect against well-known and evolving cybersecurity threats faced by companies in the United States and worldwide.
Continue Reading Buyers (And Sellers) Beware!: SEC Observations on Cybersecurity and Resiliency