Cybersecurity Law and Compliance

• Examining the threat actor landscape, where are the threats, how are they manifesting, and what is the impact on companies and business
• Gauging the level and intensity of cyber attacks
• Lessons learned from recent cyber incidents including:
• Interactions with the hacking groups Scattered Spider and LockBit
• What are government agencies doing to combat cyber attackers
• Paying or not to paying ransomware, what considerations when a sanction is concerned
• Negotiating with hackers, best practices

EU is leading the charge in cybersecurity and US companies need to be bracing for impact. This session will address current and incoming European legislation and regulations that will affect global businesses. NIS2, The Network and Information Security (NIS) Directive, comes into effect October 2024, introducing more detailed incident reporting requirements and timelines.

• Identifying which sectors and companies will be expected to comply, such as cloud services and critical infrastructure
• Outlining the reporting requirements

• Redesigning software to meet specification
• Reporting vulnerabilities in your software

DORA, the Digital Operational Resilience Act, will affect financial institutions and their technology suppliers as of January 2025.

• Reducing risk service providers and third-party vendors
• Meeting requirements for IT risk management and operational resiliency

• Surveying how the different U.S. states are regulating Artificial Intelligence, what provisions are being included and how companies need to be thinking about incoming regulations.
• Defining what is and what is not Artificial Intelligence and the scope of your policy. Going beyond ChatGPT
• Examining what kind of Artificial Intelligence your company already has
• Estimating your company’s AI risk tolerance and whether it is appropriate for your business
• Creating a policy and guidelines
• Setting up an AI oversight program
• Implementing parameters, what are you allowing within you business, and options for opt-in, opt-out of AI when solutions are incorporated
• Knowing how your third-party providers are using AI and how that may expose your company to risk
• Examining the risk of becoming too dependent on a tool

• Monitoring how your third-party providers are interacting with your data, what line of sight do they have, and what is in the contracts
• Benchmarking what is market standards for third-party contracts and what does a conservative contract include
• Identifying which regulations will apply, how they overlap or differ, and to what kind of vendor types
• Determining how deeply the security department going for risk assessment
• Evaluating vendors: how is IT team vetting and how is the legal team vetting a vendor
• Determining what is acceptable risk
• Onboarding new vendors and evaluating the risk

The Cybersecurity and Infrastructure Security Agency (CISA) requires covered entities to report cyber incidents and ransomware payments under the Cyber Incident Reporting for Critical Infrastructure Act (2022) (CIRCIA). This session will examine how cyber should be incorporated into critical infrastructure security and resilience policy. The current policy covers 16 critical infrastructure sectors which are considered vital to US security, national economic security and national public health or safety.

• Adhering to CISA reporting timeframes
• Identifying which business categories are capture and defining critical infrastructure, how it applies to different sectors and how it may be redefined under updated policy
• Examining CISA’s role to support state and industry partners
• Identifying essential workers needed to maintain services and functions for American’s daily functions
• Hypothesizing potentially debilitating national security, economic, public health or safety consequences of a cyber breach and safeguarding against this possibility
• Examining reporting requirements following a breach

Hear directly from state legislative representatives as they discuss how cybersecurity measures are being incorporated into state laws. Discuss how state laws work in concert with federal laws and regulations and where there are gaps. Join this an interactive Q&A session.

The U.S. Supreme Court issued a landmark decision in Loper Bright Enterprises v. Raimondo (2024) overturning Chevron USA v. National Resources Defense Council (1984) and the federal judiciary’s standing practice of accepting a government agencies’ reasonable interpretations of ambiguous federal laws. This session will delve into what this precedent-setting decision will mean for government agencies regulating the emerging cyber space.

• Exploring the practical impact of the Supreme Court decision
• Calculating how much authority government agencies have in the eyes of the court

Salt Typhoon attack

Hackers targeted phones and listened in on conversations.

• Including Donald Trump, JD Vance, Kamala Harris campaign workers and State Department officials
• Hackers acquired access to the system that logs U.S. law enforcement requests for criminal wiretaps

BeyondTrust attack

Chinese hackers were able to remotely access certain unclassified documents on Treasury Departmental Offices user workstations.

• The hackers compromised third-party cybersecurity service provider BeyondTrust
• Also breached the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary

Crowdstrike Software Update

Not a cyberattack, but the July 2024 software update caused widespread concerns and business disruption.

• Defining what is considered a cyber incident, what is material and what is filed in the 8K
• Delineating fault when there is a business disruption, recouping costs and indemnification
• How is this treated under the cybersecurity rule

Change Healthcare and Optimum Attack

The healthcare technology company Change Healthcare experienced a cyberattack, affecting millions of customers, in February 2024.

SolarWinds and Lawsuit against CISO

The Security and Exchange Commission has charged the SolarWinds CISO with fraud and internal control failures relating to a cybersecurity risk.

• Exploring the extent of personal liability
• Testing how companies are presenting themselves as secure, and is the company doing what is advertised

ICBC Cyberattack

• Exploring business continuity in the midst of an attack and business resiliency

Microsoft GDPR Violation

A Microsoft-owned advertising company, Xandr, is accused of a EU privacy breach under General Data Protection Regulation (GDPR) rules.

• Controlling subsidiaries and the reputational risk
• Examining the EU GDPR complaint process and possible fines

• Approaching a lawsuit from the plaintiff’s perspective
• Examining what steps companies can take to minimize litigation action
• Exploring who owns data, who can access it, what is a transaction, and where liability may lie
• Ensuring your general counsel is in good standing
• Preparing and responding to litigation
• Clarifying where liability may be for an individual