Jul. 10, 2024

Key Implications and Practical Cyber Program Lessons From SEC’s R.R. Donnelley Settlement

The SEC’s recent settlement with R.R. Donnelley & Sons includes an aggressive and untested legal interpretation that would give the regulator a free hand to bring more cases based on inadequate cybersecurity practices. The charged violations, which arose from a 2021 ransomware attack, expand the definition of “accounting controls” to include cyber practices. Dissenting commissioners warned the interpretation stretches the law too far, and later this summer a court will decide on the approach’s validity in the agency’s SolarWinds case. This article examines four key impacts of the settlement and provides practical cybersecurity program recommendations based on the SEC’s new approach. It includes insights from former regulators at Debevoise & Plimpton, Mayer Brown and Woodruff Sawyer, and defense attorneys at A&O Shearman and Sullivan & Cromwell. See “Current and Former Enforcement Staffs’ Tips for Litigating Against the SEC” (Oct. 18, 2023).

A Framework for Materiality Determinations Under SEC’s Cyber Incident Disclosure Rules

The material cyber incident disclosure requirement that is part of the SEC’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules for public companies (Rules) has apparently led to confusion, with some companies disclosing incidents that are not material in Item 1.05. Certain companies also believe the Rules prohibit them from sharing with third parties information about cyber incidents beyond what they disclosed in Item 1.05. Erik Gerding, Director of the SEC Division of Corporation Finance recently issued statements addressing both concerns. With commentary from Eric B. Gyasi, counsel at BakerHostetler, this article discusses the key takeaways from Gerding’s statements and common materiality determination mistakes, along with advice on making materiality determinations. See “SEC Director Offers Clarification on New Cyber Disclosure Regime” (Jan. 3, 2024).

Implications of the New E.U. AML Directive

New E.U. anti-money laundering legislation, collectively dubbed the Anti-Money Laundering and Countering the Financing of Terrorism package (AML/CFT Package), is intended to beef up the monitoring of suspicious transactions and to eliminate loopholes that allow for laundering of illicit proceeds. One element of the AML/CFT Package raises data privacy concerns. The Cybersecurity Law Report spoke to experts in the field to understand the implications for international businesses. See “Navigating the Intersection of Digital Assets and AML” (Jun. 29, 2022).

Paul Hastings Adds Litigation Partner to Its Data Privacy and Cybersecurity Practice

Michelle Reed has joined Paul Hastings’ data privacy and cybersecurity practice as a partner in Dallas. She arrives from Akin Gump, where she was co‑head of its cybersecurity, privacy and data protection practice. For insights from Reed, see “How Do You Put a System of Controls in Place When Your Target Keeps Moving?” (Mar. 31, 2021). For commentary from Paul Hastings, see “Effective Use of Privacy Impact Assessments” (May 4, 2022).

Google Cloud Hires Former Federal CISO 

Chris DeRusha, the former Federal CISO and Deputy National Cyber Director, has joined Google Cloud as the director of global public sector compliance. For insights from DeRusha, see “Using Software Bills of Materials to Bolster Security in Contracting” (Sep. 28, 2022).