Insights

On February 20, 2025, the Securities and Exchange Commission (SEC) announced the formation of the Cyber and Emerging Technologies Unit, known as “CETU,” which will replace the Crypto Assets and Cyber Unit (“CACU”).

On Thursday, July 18, 2024, Judge Paul Engelmayer, U.S. District Judge for the Southern District of New York, dismissed the bulk of the Securities and Exchange Commission’s (SEC’s) landmark civil securities law claims against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown.  The Court dismissed all allegations based on SolarWinds’ public disclosures made after SolarWinds became a victim of the well-publicized SUNBURST cybersecurity attack, and also dismissed the SEC’s claims relating to SolarWinds’ internal accounting controls and disclosure controls and procedures.  However, the Court declined to dismiss claims of securities fraud against SolarWinds and its CISO based on SolarWinds’ pre-SUNBURST disclosures, finding that the SEC had properly pleaded that the company’s publicly-posted “Security Statement” was materially false and misleading. 

The DOE in 2023 significantly increased its enforcement activity against manufactures and importers alleged to have violated EPCA’s energy and water conservation standards and related certification requirements, based on available public information. As we previously flagged, the substantial rise in enforcement activity comes as the Biden Administration increasingly focuses on EPCA as a means of achieving environmental policy objectives, including reducing carbon emissions. The Department has continued its enforcement efforts in 2024 and early data from this year sheds light on the Department’s enforcement priorities.

Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations.  The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.

On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. 

A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally. 

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

As the Biden Administration enters its third year, now with a party split in Congress, it seems likely that the Administration will redouble its focus on executive branch regulatory tools that can be used to achieve energy-related policy objectives, including with respect to energy efficiency and reducing carbon emissions. For manufacturers and importers of appliances and certain other consumer, lighting, plumbing and commercial and industrial products, that means the potential for additional scrutiny of their products’ compliance with the Department of Energy’s (DOE) conservation standards for energy and water efficiency. It also likely means a commensurate increase in DOE enforcement activity for non-compliance with the applicable efficiency standards or the associated test procedures required to demonstrate compliance, as well as registration and labeling requirements. Given the magnitude of the penalties associated with violating efficiency standards, currently $503 per violation, which can quickly run into multiple millions of dollars across noncompliant units, manufacturers and importers should consider refamiliarizing themselves with DOE’s conservation standards regime.

This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.

For the first time in nearly a decade, the U.S. Department of Justice (DOJ) has revised its prosecutorial guidelines for bringing criminal charges under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. Under the revised guidelines, federal prosecutors should not pursue CFAA violations if available evidence shows an individual’s conduct consisted of, and the defendant intended, “good faith security research.” See Justice Manual (J.M.) § 9-48.000 (Revised CFAA Guidelines). These policy changes, effective immediately, provide some welcome clarity for so-called “white-hat” or “ethical” hackers, such as cyber researchers and penetration testers.

After the SolarWinds Supply Chain Attack in late 2020 became public, the value of SolarWinds stock on the public market decreased in one week from almost $25 per share to less than $15 per share—a substantial decline of approximately 40%.

President Biden signed the Consolidated Appropriations Act, 2022 into law on March 15, 2022. Section Y of the new omnibus appropriations bill is titled The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“the Act”). Importantly, the Act significantly expands federal cybersecurity incident and ransom demand reporting requirements for critical infrastructure entities. In light of these new requirements, critical infrastructure entities who suspect that they may be subject to the Act should begin investigating how the Act will impact their business and consider establishing protocols which may be necessary to ensure compliance.

On March 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (registrants) that are subject to the reporting requirements of the Securities Exchange Act of 1934.

Earlier this month, Crowell & Moring issued an alert regarding the robust enforcement of the California Consumer Privacy Act (“CCPA”) since its 2020 effective date. Other states and state consortiums, such as the Attorney General Alliance, continue to focus on the perceived need for consumer data privacy, which maintains bipartisan appeal. Currently, Colorado is preparing for the July 1st, 2023 effective date for the Colorado Privacy Act (“CPA”), various other states are working toward passing consumer data privacy legislation, and some states are attempting to pass measures of protection against “big data” that are different from California, Virginia or Colorado’s data privacy acts.

On February 16, 2022, the Cybersecurity & Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), issued Alert (AA22-047A), “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information Technology.”  The Alert contains useful background on the situation and the following guidance for companies on response and risk mitigation efforts:

On December 17, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) issued Emergency Directive 22-02 (the “Directive”) instructing civilian federal agencies to mitigate a series of vulnerabilities in Apache Log4j, a Java-based logging library, by 5 p.m. EST on December 23 and to provide a report to CISA about vulnerable applications by December 28.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory on potential sanctions risks for companies that facilitate ransomware payments in response to cyberattacks, guidance on preventative measures companies can implement to mitigate such risks, and criteria that OFAC will consider as mitigating factors in any potential enforcement action. OFAC also announced that it has added SUEX OTC, S.R.O. (“SUEX”), a Russian virtual currency exchange, to its Specially Designated Nationals and Blocked Persons List (the “SDN List”), as a result of its role in facilitating ransomware payments. This represents OFAC’s first-ever designation of a virtual currency exchange.

Senator Maggie Hassan (N.H.-D): “My question is, in your planning, did you have a plan for cybersecurity response that included guidance about ransomware?”

As recently as six months ago, ransomware was the domain of CISOs (chief information security officers) and cybersecurity lawyers. But in the wake of high-profile attacks by Russian-based cybercriminals on Colonial Pipeline, operator of the country’s largest refined fuel pipeline, and JBS Foods, the world’s largest meat processor, ransomware jumped to the top of the agenda for President Biden’s meeting with Russian President Vladimir Putin this week. These high-profile incidents have shown that ransomware attacks are a significant business/operational and legal risk for global companies. Colonial Pipeline paid $5 million to resolve its attack, JBS $11 million, and the group responsible for an attack on Acer is demanding $50 million.