Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

jects that enhance the resilience of critical infrastructure. These grants support initia - tives such as system upgrades, cybersecurity training, and vulnerability assessments. Threat Identification Responsibilities State responsibilities when it comes to identify - ing cybersecurity threats to critical infrastructure are as follows. • Threat intelligence sharing – state govern - ments act as intermediaries between federal agencies and local entities by disseminating threat intelligence. This includes leveraging the federal Multi-State Information Sharing and Analysis Center (MS-ISAC), which pro - vides cybersecurity threat monitoring, analy - sis, and early warnings tailored to state and local governments. • sector-specific threat monitoring – many states focus on monitoring threats to key sectors, such as water utilities, energy grids, and healthcare facilities, which are often regulated at the state level. State public utility commissions and health departments often collaborate with federal agencies to identify and mitigate threats. • Mandatory reporting and oversight – states enforce data breach reporting requirements for businesses and other entities operating within their jurisdiction. Virtually all states have enacted data breach notification laws, requiring organisations to report breaches involving personally identifiable informa - tion (PII) to affected individuals and, in many cases, the state Attorney General or other regulatory bodies. For instance: (a) some states (eg, California) mandate detailed reporting on the nature of the breach and steps taken to address it; and (b) some state laws also impose specific deadlines for breach notifications, typical -

ly ranging between 30–90 days, depend - ing on the jurisdiction.

3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corpo - ration (FDIC), and the Office of the Comptroller of the Currency (OCC) (together, the “prudential regulators”) consider cybersecurity to be a com - ponent of US financial institutions’ operational risk management framework, as described in the regulatory capital rules and elsewhere. Title V of the GLBA was the first federal law to require that financial institutions safeguard non-public personal information (NPPI) of their customers. The statute requires each pruden - tial regulator to establish standards for financial institutions to: • insure the security and confidentiality of records containing NPPI; • protect against “any anticipated threats or hazards” to such records; and • protect against unauthorised access of such records (the “Safeguards Rule”). The Interagency Guidelines Establishing Infor - mation Security Standards (the “Security Guide - lines”) that derive from this statutory mandate require all financial institutions to have informa - tion security programmes that further the objec - tives of the Safeguards Rule. In 2020, the OCC and the FDIC published a Joint Statement on Heightened Cybersecurity Risk (the “Joint State - ment”), which elaborated on the Security Guide - lines.

351 CHAMBERS.COM

Powered by