USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields
foreign state-sponsored attacks (see 4.1 Cyber- Resilience Legislation ).
aged to use standardised tools that incorpo - rate industry standards and best practices to determine their cybersecurity risk. These tools include FFIEC Cybersecurity Assessment Tool (sunsetting in August 2025), the NIST Cyberse - curity Framework, the Center for Internet Secu - rity Critical Security Controls, and the Financial Services Sector Coordinating Council Cyberse - curity Profile. 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation Legislation around cyber-resilience continues to develop in the USA, as follows. • The Federal Reserve, in co-ordination with the OCC and the FDIC, has issued guidance in the form of a paper on operational resil - ience that includes an appendix of practices for cyber-risk management. • Some regulations impose transparency obli - gations related to cyber-resiliency. By way of example, the SEC requires publicly traded companies to disclose measures taken to manage certain cyber-related risks. NYDFS regulations (described in greater detail in 6.2 Cybersecurity and AI ) impose similar dis - closure requirements and technical obliga - tions regarding backup systems to promote resiliency. • Draft legislation that would create a task force directed to report on conclusions and rec - ommendations related to protecting critical infrastructure from foreign state-sponsored threats has passed one house of Congress. 4.2 Key Obligations Under Legislation Draft legislation would create a task force to consider steps that critical infrastructure com - panies can take to strengthen resilience against
5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation Unlike Europe, the USA does not have any security certification requirements for informa - tion and communications (ICT) products or ser - vices. CISA co-chairs the ICT Supply Chain Risk Management Task Force, a PPP that is charged with identifying challenges and solutions for managing risks in the global ICT supply chain. That task force has issued several handbooks and resource guides to help the private sector manage supply chain risk in ICT. Separately, the Federal Communications Commission (FCC) has created a voluntary cybersecurity labelling pro - gramme for wireless consumer internet of things (IoT) products – namely, the US Cyber Trust Mark. The Cyber Trust Mark is a label designed to demonstrate to consumers that devices with the label have met robust cybersecurity stand - ards and is expected to launch in 2025. 6. Cybersecurity in Other Regulations 6.1 Cybersecurity and Data Protection Federal Data Protection Regulation At the federal level, the GLBA directs covered financial institutions to provide notices about their information-sharing practices and to imple - ment appropriate safeguards to ensure the secu - rity of customer information and protect against unauthorised access to such information. The Safeguards Rule, which is one of the GLBA’s implementing regulations, includes prescriptive
355 CHAMBERS.COM
Powered by FlippingBook