On May 8, 2024, Paul Hastings Hosted the Cybersecurity Law Workshop at this spring’s Privacy + Security Forum with a panel on cybersecurity regulatory trends and recent developments. The panel was moderated by Paul Hastings Of Counsel John Gasparini and featured Alicia Rosenbaum (Vice President and Associate General Counsel, Technology, Salesforce), Joel Max (Cybersecurity Officer, Smart Infrastructure, Siemens), and Paul Eisler (Vice President, Cybersecurity, USTelecom).

The panel provided various perspectives on the practical impacts of recent regulatory changes related to cybersecurity, including the Securities and Exchange Commission’s (SEC) incident reporting and risk management disclosures rules. The panel further provided perspectives on the anticipated impact of impending regulations, including the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), expanded requirements in the Federal Acquisition Regulations, and developments outside the United States impacting global companies.

Here are some of the main takeaways from the panel—

Defining Key Terms. Panelists highlighted growing concerns among organizations regarding definitions for terms used in the CIRCIA, specifically terms such as “substantial,” “important,” and “material.” Speakers explained that organizations can be more effective in compliance efforts with greater clarity on terms such as these.

Harmonization Challenges. Panelists addressed challenges in harmonization— specifically how the challenge of weaving new and impending compliance requirements into varying parts of a business manifests. Speakers explained that if a business has several cloud environments, for one incident, that business would need to consider the incident footprint in each of those environments and must prioritize accordingly. Additionally, speakers noted concerns that in more strictly regulated industries, it is not clear what the CIRCIA rules will look like upon finalization, leading to uncertainty for compliance with CIRCIA.

Desired Changes. Panelists explained several changes organizations and industries desire in relation to compliance requirements for new and impending regulations. Specifically, speakers discussed that there will be differences in what gets reported among practitioners in their compliance efforts. Organizations may therefore find it more beneficial to have the opportunity to correct (an opportunity to cure) their reporting in a formal manner before regulators issue a subpoena. Further, as noted above, there is a growing need for more definitive guidance on specific expectations of regulators for compliance with new and impending regulations. Finally, speakers explained that a lot of the regulatory changes are about raising the bar on compliance work already in place and having a dialogue on regulators’ expectations for compliance would allow for greater efficiencies in compliance efforts. Panelists explained that having hard and fast rules is challenging because compliance efforts will continue to evolve, so a strong feedback loop with regulators could benefit industry and organizations.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this spring’s Forum, which took place from May 8-10 in Washington, D.C.

Our Privacy and Cybersecurity practice regularly advises companies on key issues, including impacts of regulatory changes related to cybersecurity. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.