US Congress enacts significant new law mandating cyber incident and ransomware reporting on businesses

On March 15, 2022, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA or the Act) into law.  Under its provisions, a broad range of private and public-sector entities operating in “critical infrastructure” sectors will for the first time have mandatory reporting obligations in connection with “cyber incidents” and ransomware attacks.  Specifically, “covered entities” are required to report certain “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of the event, and to report ransomware payments within 24 hours of payment. Read more

Hong Kong, can you handle this? The HKMA proposes new standards for operational resilience

Following the HKMA’s 21 April 2021 circular highlighting the additional guidance issued by the BCBS on 31 March 2021, namely the Principles for Operational Resilience and the Revised Principles for Sound Management of Operational Risk, the HKMA launched a consultation on 22 December 2021 on a new proposed Supervisory Policy Manual module OR-2 (Operational Resilience) and proposed amendments to existing SPM modules TM-G-2 (Business Continuity Planning) and OR-1 (Operational Risk Management) in order to align with the BCBS’s operational resilience guidance. Read more

China Cyber Security and Data Protection Update – April 2021

This e-bulletin summarises the latest developments in cybersecurity and data protection in China. We focus on four areas: regulatory, enforcement, industry and international developments. Our Highlights Whilst the MIIT continues to crack down on mobile applications that infringes individuals’ interests in personal information, four ministries jointly issued the regulations setting out the scope of personal … Read more

China Cyber Security and Data Protection Update – March 2021

This e-bulletin summarises the latest developments in cybersecurity and data protection in China. We focus on four areas: regulatory, enforcement, industry and international developments. Our Highlights The financial regulators have continued to increase their efforts to develop and protect financial data. The People’s Bank of China released new standards on enhancing the data capability of … Read more

China Cyber Security and Data Protection Update – Review of 2020 and Outlook for 2021

2020 has been an active year for developments in China’s cybersecurity and data protection regimes. In this e-bulletin we highlight the major regulatory and enforcement developments during the year in three key areas: Security protection, where continuous regulatory efforts have been made to supplement technical standards in order to progress the establishment of the multi-level … Read more

China Cyber Security and Data Protection Update – November 2020

In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on four areas: regulatory developments, enforcement developments, industry developments and international developments. For further detail, please see our update here.     Read more

UK Telecoms (Security) Bill: Stronger cyber security controls for the UK telecoms sector with a sting in their tail

Today the UK government introduced the Telecommunications (Security) Bill (the “Bill”) to Parliament, to more heavily regulate the UK telecoms sector and improve cyber security risk management, policy and enforcement. With significant sanctions for non-compliance, this “ground breaking” Bill is expected to provide the UK with “one of the toughest telecoms security regimes in the … Read more

The other not so mega ‘mega fine’: ICO fines Marriott £18.4 million in relation to Starwood Hotel’s 2014 data breach

Summary The ICO has fined Marriott Inc (“Marriott”) £18.4 million in relation to a 2014 cyber-attack on Starwood Hotels. The ICO had previously issued a notice of its intention to fine Marriott £99.2 million. The Penalty Notice does not explain the reasons why the final fine is considerably lower than this amount. Following the ICO’s … Read more