Tag Archives: HJ Brehmer

NIST Releases Most Significant Update to Cybersecurity Framework Since 2014

by Avi Gesser, Erez Liebermann, Michael R. Roberts, HJ Brehmer, and Annabella M. Waszkiewicz

Photos of authors

Left to right: Avi Gesser, Erez Liebermann, Michael R. Roberts, HJ Brehmer, and Annabella M. Waszkiewicz

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of the Cybersecurity Framework (“Version 2.0” or the “Framework”). We previously wrote about proposed changes to the Framework, which has become an important industry standard for assessing cybersecurity maturity of organizations and managing cybersecurity risk. Version 2.0’s enhanced guidance, and particularly its additional governance section, should be interesting to counsel as a helpful tool for mapping to new legal requirements from regulators such as the Securities and Exchange Commission (“SEC”), New York Department of Financial Services (“NYDFS”), and the Commodity Futures Trading Commission (“CFTC”).

Continue reading

SEC Cybersecurity Update: Chair Gensler Offers Insight into Upcoming Regulation

by Avi GesserCharu Chandrasekhar, Christopher Ford, HJ Brehmerand Matthew Rametta

On January 24, 2022, SEC Chair Gary Gensler gave a speech on cybersecurity rulemaking to the Annual Securities Regulation Institute, outlining a number of key points he expects the SEC will consider in 2022 and emphasizing the SEC’s “key role” on the federal government’s “Team Cyber.”  A number of these proposed changes – including broadening the scope of existing SEC regulations, enhancing SEC requirements for cyber hygiene, and increasing attention to public company disclosures – were among the trends that members of the Debevoise Data Strategy & Security and White Collar & Regulatory Defense practice groups discussed during a November 2021 webcast on the SEC’s Cybersecurity Year in Review, as well as in our prior Data Blog posts (here and here).

Continue reading

OFAC and FinCEN Update Ransomware Guidance to Include New Red-Flag Indicators and Additional Sanctions Designations

by Luke Dembosky, Avi Gesser, Satish Kini, Aseel Rabie, and HJ Brehmer

On November 8, 2021, the U.S. Department of the Treasury (“Treasury”) announced a new set of sanctions against criminal ransomware actors, the virtual currency exchange Chatex and three companies providing material support and assistance to Chatex. By designating these entities, which have direct ties with the previously sanctioned SUEX OTC, S.R.O. (“SUEX”), Treasury is suggesting that it will continue to use all tools available to identify and take action against those involved in facilitating ransomware payments. 

Continue reading

OFAC’s Ransomware Advisory – How Banks Can Reduce Their Sanctions Risk for Client Cyber Ransom Payments (Part II of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Scott Caravello

This is Part II of a two-part post. For Part I, which provides a general overview of OFAC’s updated ransomware advisory and the ways that victim companies can reduce their sanctions risks, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) released an updated advisory (PDF: 252 KB) (the “Advisory”) on the sanctions risks associated with facilitating ransomware payments. The Advisory applies to victims of ransomware attacks, as well as companies that facilitate payments to threat actors, including financial institutions. In Part 1, we discussed the Advisory generally, and ways that victim companies can reduce their sanctions risks. In this Part 2, we discuss the measures that financial institutions can adopt to mitigate their ransomware sanctions risks, and why those compliance controls differ from the steps being taken by victims.

Continue reading

OFAC’s Ransomware Advisory – Improved Cybersecurity Can Mitigate Sanctions Risk, and Other Takeaways (Part I of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Sarah Q. Smith

This is Part I of a two-part post. For Part II, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (PDF: 252 KB) (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms and other companies facilitating payment—are responsible for ensuring that they do not violate U.S. law and can be subject to an OFAC enforcement action if they do.

Continue reading

Seven Tips for Reducing CCPA Litigation Risks – Lessons from the First 18 Months

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Alexandra P. Swain, and HJ Brehmer

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Consumers can seek damages for any harm actually incurred as well as statutory damages ranging from $100 to $750 per consumer per incident.

Not surprisingly, in these early days of CCPA private actions, plaintiffs are trying to push the boundaries of the law and testing who, when, and why a CCPA claim may be brought. In this post, we offer practical tips for reducing CCPA risk based on a review of the cases filed to date and the treatment of those cases in the courts. 

Continue reading