Paul Hastings Hosts Perspectives From Cybersecurity Regulators Panel at Privacy+Security Forum

On October 23, 2024, Paul Hastings hosted the Cybersecurity Law Workshop at this fall’s Privacy+Security Forum with a panel on Perspectives From Cybersecurity Regulators.

The panel was moderated by Co-Chair of Paul Hastings’ Data Privacy and Cybersecurity group, Aaron Charfoos, and featured panelists Micheal Brennan (Assist. Director, Crypto Assets & Cyber Unit, Division of Enforcement, Securities Exchange Commission (SEC)) and Harriet Pearson (Axia Advisory LLC, Former Cybersecurity Head, New York Department of Financial Services (NYDFS)).

Panelists discussed key takeaways from the SEC and NYDFS. Please see below some takeaways from the panel:

NYDFS as a Blueprint

Panelists highlighted the role of NYDFS Cybersecurity Regulation Part 500, noting it as a “national model” often used by companies looking to design their cybersecurity programs. Part 500, which originally went into effect in 2017, continues to evolve. The latest set of amendments, passed last year, went into effect on November 1, 2024, and, among other things, will require covered entities to implement encryption measures and adopt business continuity and disaster recovery plans. Pearson noted that although Part 500 continues to release amendments, the last few years serve as a fair guide for NYDFS’ approach to future developments. Covered entities should ensure that they are up to date on all Part 500 requirements, as well as each set of amendments as they are released.

SEC Cyber Disclosures

Panelists also discussed the SEC’s reporting requirements for material cybersecurity incidents, noting recent trends and patterns. Companies are now required to disclose material cyber incidents within four days of determining that an incident is material. Panelists clarified the reporting standard as anything that would be material to investors. Specifically, in determining whether an incident is material, companies should consider what would be important to a reasonable investor and the potential impact on operations. Recently filed disclosures demonstrate a trend where companies are erring on the side of caution by including more detail when disclosing material cybersecurity incidents. This may include impact on operations, sensitivity of information, and potential harm.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this fall’s Forum, which took place from October 23-25 in Washington, D.C.

Our Privacy and Cybersecurity practice regularly advises companies on key issues. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.