Skip to main content

Clifford Chance

Clifford Chance
All
Cyber<br />

Cyber

Talking Tech

Featured

Alternative Text

Cyber

Survey of Cybersecurity Disclosures in Annual Reports on Form 10-K Filed by Selected Well-Known Seasoned Issuers

We have developed this survey to provide information to our clients and other interested parties about cybersecurity related disclosures included in annual reports on Form 10-K. Our survey focuses on companies registered with the U.S. Securities and Exchange Commission (SEC) that have disclosed that they qualify as well-known seasoned issuers and that we understand are included in the Fortune 100 index. The charts included in the survey attached below reflect selected statistics that we believe provide useful information about cybersecurity disclosure characteristics and related governance practices. A list of the companies whose annual reports we reviewed is provided in Annex A.
Alternative Text

Cyber

Draft Rules for Cyber Incident Reporting for Critical Infrastructure Companies

On March 27, 2024, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rule Making detailing requirements for compliance with the Cyber Incident Reporting for Critical Infrastructure Act. The draft rule would subject critical infrastructure companies to some of the most aggressive breach notification timelines in the world.

Alternative Text

Cyber

Cybersecurity and the ASX Listing Rules: Key Takeaways from the Updated Guidance Note 8

The Australian Securities Exchange (ASX) has updated its Guidance Note 8 (effective 27 May 2024) which provides crucial insights for listed entities on managing and disclosing cyber incidents. The Guidance is particularly relevant in an era where data breaches and cyber-attacks are becoming increasingly common. It outlines the circumstances under which a listed entity must disclose a data breach and the exceptions to their disclosure obligations. We set out the key takeaways for listed entities in Australia.

Cyber

Cybersecurity in Europe: where are we now?

Four years into the 2020s there is a clear push in the European Union harmonisation of the rules within the cyber security landscape, with the financial services sector, devices, and cloud security being key areas of focus. This has been a long time coming. Under the guise of its 2020 Cybersecurity Strategy for the Digital Decade, the EU has embarked on a flurry of regulatory developments and proposals that, between them, aim to enhance the baseline cybersecurity of organisations operating in the EU, and levy stronger obligations on certain sectors such as financial services and critical infrastructure. In this overview article, we examine some of these key regulatory developments in the EU, whilst highlighting equivalent efforts, where applicable, in the UK.

Cyber

Cybersecurity update Singapore's Cybersecurity Act extends its reach

Singapore's Cybersecurity (Amendment) Bill was passed by the Parliament on 7 May 2024. The Bill amends and updates the Cybersecurity Act 2018 to adapt to emerging technologies, a wider landscape of digital infrastructure providers, and evolving threat actors, and has potentially significant implications for any business that provides an 'essential service' in Singapore or provides digital infrastructure services either to or from Singapore. We offer some key takeaways from amended Act.

New Amendment to New York's Cybersecurity Requirements for Financial Services Companies: a Call to Swift and Urgent Action
Cyber

New Amendment to New York's Cybersecurity Requirements for Financial Services Companies: a Call to Swift and Urgent Action

On November 1, 2023, the New York State Department of Financial Services (DFS) announced an amendment to its cybersecurity requirements for financial services companies, 23 NYCRR Part 500.

Read
The EU Cyber Resilience Act – Towards a safe and secure digital market in Europe

The EU Cyber Resilience Act – Towards a safe and secure digital market in Europe

In this briefing we overview the CRA as adopted by the European Parliament on 12 March 2024, including the obligations imposed on those involved in the supply chain of connected devices, and consider key changes made by the Council and the European Parliament (the co-legislators) to the European Commission’s original proposal.

Read
Court of Justice of the European Union on GDPR & Cybercrime
Data

Court of Justice of the European Union on GDPR & Cybercrime

On 14 December 2023, the Court of Justice of the European Union (CJEU) published its preliminary ruling in Case C-340/21 involving the Bulgarian National Revenue Agency (NAP), which suffered a cyberattack leading to the unauthorized disclosure of personal data.

Read
Cyber

NYDFS Flexes Enforcement Muscle in Crypto Markets With $30 Million AML and Cybersecurity Fine and Draft Cybersecurity Amendments

The New York Department of Financial Services ("NYDFS") levied a hefty $30 million penalty on Robinhood Crypto, LLC ("Robinhood Crypto"), citing what the agency identified as persistent and pervasive transaction monitoring and cybersecurity compliance failures. NYDFS also required Robinhood Crypto to retain an independent compliance consultant for 18 months.

Read

EU Cyber Resilience Act Approved by European Parliament

On Tuesday 12 March, the European Parliament approved the Cyber Resilience Act, a milestone EU regulation which will set cyber security rules for 'products with digital elements' made available on the EU market. The CRA is now awaiting formal approval by the Council and is expected to enter into force in the coming months, with its rules becoming fully applicable over various transition periods. We overview key aspects of the CRA and flag some of the changes that have been introduced since the original Commission proposal.

Read
Cyber

SEC Adopts New Cybersecurity Disclosure Requirements for Public Companies

On July 26, 2023, the U.S. Securities and Exchange Commission adopted new cybersecurity related disclosure requirements that will apply to public companies that are subject to periodic reporting obligations under US federal securities law. The SEC is amending Form 8-K to require registrants that use this form to report specified information related to a cybersecurity incident within four business days of determining that the incident is material.

Read
DORA: Exploring what the new European Framework for Digital Operational Resilience means for your business
Cyber

DORA: Exploring what the new European Framework for Digital Operational Resilience means for your business

On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the financial sector (DORA). With obligations under DORA coming into effect late in 2024 or early 2025 at the latest, in this article we take a closer look at its impact and consider what the regulation will mean for firms, their senior managers and operations and what firms should be doing now in preparation for day one compliance.

Read
EU Cyber Resilience Act – proposed cybersecurity rules for connected products

EU Cyber Resilience Act – proposed cybersecurity rules for connected products

The proposed Cyber Resilience Act will introduce new common cybersecurity requirements for "products with digital elements" placed on the EU market. Forming part of the EU's Cybersecurity Strategy, this proposed regulation would impose a range of obligations on manufacturers, importers and distributors of connected hardware and software, with the aim of ensuring that technical vulnerabilities are minimised and managed in a transparent manner. This article discusses key aspects of the proposal.

Read
NYDFS fines health insurer EyeMed $4.5 million for cybersecurity violations after mandatory self-report

NYDFS fines health insurer EyeMed $4.5 million for cybersecurity violations after mandatory self-report

NYDFS learned about the breach after EyeMed reported the incident, as required by the Cybersecurity Regulation. The penalty is a reminder to companies in scope of the regulation to make sure to review their compliance before an incident, a costly lesson more and more companies are learning from NYDFS.

Read
The Solana Cyber-attack: What now?
Cyber

The Solana Cyber-attack: What now?

Hackers have been targeting various areas of the crypto market, including bridges, exchanges and wallets. One such example occurred in August 2022, which was the major cyber-attack on the Solana ecosystem (Solana), raising questions about the security of underpinning cryptoassets and causing loss to investors across the globe.

READ
Ransomware Playbook
Cyber

Ransomware Playbook

Our newly updated international playbook addresses how best to prepare for and respond to a ransomware attack, and contains guidance from key jurisdictions around the world regarding applicable legal regimes

READ
Congress passes broad legislation requiring critical infrastructure sectors to report substantial cyber incidents and ransomware payments
Cyber

Congress passes broad legislation requiring critical infrastructure sectors to report substantial cyber incidents and ransomware payments

This statute is the first federal law to require reporting of cyber incidents across a wide range of industries. These requirements will take effect upon the finalization of implementing regulations by the Cybersecurity and Infrastructure Security Agency (CISA).

READ
To pay or not to pay? The ransomware conundrum
Cyber

To pay or not to pay? The ransomware conundrum

Held to ransom?

READ
FinCEN flexes new expertise in clear warning to companies broadly involved in processing ransomware payments
Fintech

FinCEN flexes new expertise in clear warning to companies broadly involved in processing ransomware payments

Strengthen your detection and monitoring

READ
Treasury ransomware advisories warn companies to consider collateral legal risks in payments
Cyber

Treasury ransomware advisories warn companies to consider collateral legal risks in payments

Updating the ransomware playbook

READ
See All our Cyber Content

Upcoming events

digital-eye-600x400-3

9 July 2024: Central Bank Digital Currencies with Clifford Chance and the International Monetary Fund (IMF)

We are delighted to invite you to join us on Tuesday 9 July for a virtual event focused on the evolving legal questions around the development of central bank digital currencies (CBDCs) with the International Monetary Fund (IMF) and Clifford Chance. This insightful session will bring together leading global industry experts advising on CBDC design and implementation to discuss the crucial legal considerations and latest developments as more jurisdictions around the globe meaningfully explore the introduction of CBDCs. View full details of the Programme and Speakers.

Time: from 9:00 EST/ 14:00 BST / 15:00 CEST / 17:00 GST / 21:00 SGT

To Register, please complete the online registration form.
See all our events

Toolkits & Client Log-in