As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up.
- Managing Cybersecurity Risks Arising from AI – New Guidance from the NYDFS (October 20, 2024)
As cybersecurity risks continue to grow, so does the regulatory landscape. In October 2024, New York’s Department of Financial Services (“NYDFS”) issued guidance to companies governed by Part 500 regarding how to manage growing cybersecurity risks related to AI. In this post, we discuss how companies can comply with NYDFS’s current approach by establishing internal governance committees, conducting a gap assessment against existing controls and standardizing due diligence processes, among other practical tips.
Attackers’ increasing use of deepfake technology may necessitate additional training and enhanced verification protocols to keep companies safe. In this post, we explain how hackers use deepfakes to promulgate business email compromise (“BEC”) scams and discuss three ways companies can help mitigate the risks those scams pose. Hint: training is the key mitigation measure. We also offer suggestions about what to do in the event of a BEC attack, when timely disclosure is key to mitigating regulatory penalties.
- EU Digital Operational Resilience Act (“DORA”): Incident and Cyber Threat Reporting and Considerations for Incident Response Plans (May 13, 2024)
In January 2025, the EU’s Digital Operational Resilience Act will go into effect, imposing reporting requirements on financial institutions in the aftermath of cyberattacks. In this post, we take a closer look at DORA’s Information and Communications Technology-related incident and cyber threat reporting obligations (which can require notifications in as little as four hours) and how covered entities can prepare to address them within their existing incident response plans.
In March, the Cybersecurity and Infrastructure Security Agency proposed a rule (based on the Cyber Incident Reporting for Critical Infrastructure Act) which would mandate cybersecurity incident reporting for critical infrastructure entities starting in 2026. If enacted, this rule would cause a dramatic shift in the regulatory landscape, swapping voluntary partnership agreements for detailed reporting requirements and threatening criminal prosecution in the event of non-compliance. In light of the rule’s broad application and stringent penalties, this post arms readers with practical recommendations for ensuring compliance come 2026, assuming the law remains the same in the new administration.
In February, the National Institute of Standards and Technology released version 2.0 of its voluntary risk management Cybersecurity Framework, significantly updating its prior 2014 version with stricter internal requirements for companies. Although compliance is voluntary, the Framework is increasingly used by regulators like the FTC and SEC as a benchmark for cybersecurity maturity. This post provides a detailed explanation of how to utilize the Framework to mitigate the risk of cyberattacks.
Like other technologies, integrating AI into business practices poses cybersecurity risks. This blog post draws on a joint report from leading agencies to highlight 10 key cybersecurity measures that companies should consider when deploying AI systems. Read this post for a summary of the report’s top recommendations on mitigating risks while benefiting from the advances that AI offers.
- Helpful Guidance on Managing AI-Related Cybersecurity Risks from Hong Kong’s SFC (November 19, 2024)
In a circular issued November 12, 2024 (the “Circular”), the Hong Kong’s Security and Futures Commission (the “SFC”) outlined its expectations for how licensed corporations should manage risks associated with AI language models. In the Circular, the SFC addresses cybersecurity, AI governance, and operational risks, recommending that companies implement measures commensurate with the magnitude of risk and impact. In this blog post we cover key takeaways from the circular.
- Making Tabletop Exercises Worth the Time and Resources (October 25, 2024)
In today’s threat environment, preparing for a cyberattack is essential, and tabletop exercises can help companies assess their strengths and vulnerabilities without all the pressures of a real crisis. Many companies have been conducting tabletops for years, but crafting an exercise that is worth executives’ time takes considerable planning and insights gained from the trenches of actual incidents. This blog post outlines our top goals for a tabletop and common lessons from these exercises.
- The EU’s Draft NIS2 Regulations: Appropriate ICT Security Measures and Serious Incident Reporting (August 12, 2024)
Effective October 2024, a regulation under the second Network and Information Systems Directive details the EU’s new security requirements and cyber incident reporting triggers. This blog post unpacks the regulation’s requirements—many of which are now in effect—imposing obligations on companies such as cloud computing providers, social media platforms, and many more which may not immediately meet the eye as covered entities.
- Part 500, One Year Later (Part Two) – Defining “Material Compliance” (November 13, 2024)
Each year, covered entities must certify that they have materially complied with the New York Department of Financial Services’ (“NYDFS”) Cybersecurity Regulation (“Part 500”). Ahead of the April 2025 certification deadline, this blog post, the second in a two-part series, discusses what constitutes “material compliance.” Since NYDFS has not specifically defined the term, each covered entity must decide for itself whether it has met the requirements, assessing various factors related to the covered entity and its potential noncompliance. This post offers practical guidance to assist covered entities in making these individualized determinations.
- Treasury’s Report on AI (Part 2) – Managing AI-Specific Cybersecurity Risks in the Financial Sector (July 3, 2024)
This blog post, the second in a two-part series on the Treasury’s report, Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”), summarizes the benchmarking that Treasury did on the efforts of financial services companies to deal with AI-enhanced cybersecurity risks and how firms can respond. This post walks through risks of, and potential responses to, AI-enhanced social engineering, malware, disinformation, data poisoning, data leakage, evasion, and model extraction. Finally, it recommends measures to strengthen AI system supply chains, design, and deployment, as well as ways to keep up with the evolving regulatory landscape.
***
To subscribe to the Data Blog, please click here.
