On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”). According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI systems [and] identify[] opportunities for using AI to enhance cybersecurity capabilities.” The draft Profile uses the existing voluntary NIST Cybersecurity Framework (“CSF”) 2.0 — which “provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks” — and overlays three AI Focus Areas (Secure, Detect, Thwart) on top of the CSF’s outcomes (Functions, Categories, and Subcategories) to suggest considerations for organizations to prioritize when securing AI implementations, using AI to enhance cybersecurity defenses, or defending against adversarial uses of AI. This draft guidance will likely be familiar to organizations that already leverage the CSF 2.0 in their cybersecurity programs and might be complimentary to existing frameworks that organizations already have in place. Even so, the outcomes are designed to be flexible such that a range of organizations (with mature or novel programs) can leverage the guidance to help manage AI-related cybersecurity risk. Continue Reading NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment
CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure
On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here. Established by the 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, the CPGs provide a list of essential, outcome-driven cybersecurity “goals” to establish “a common understanding of the baseline security practices” for critical infrastructure owners and operators, including government contractors and defense contractors. The CPGs, which are voluntary, apply to both information technology (“IT”) and operational technology (“OT”) environments and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).Continue Reading CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure
SEC Voluntarily Dismisses SolarWinds Litigation
On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”Continue Reading SEC Voluntarily Dismisses SolarWinds Litigation
NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers
On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers
Cybersecurity Information Sharing Act of 2015 Allowed to Sunset
The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provided protections for sharing cybersecurity threat information with the federal government and others, officially sunset on September 30, 2025 pursuant to the law’s original sunset date after efforts to re-authorize it did not succeed. The law created a cybersecurity information
Continue Reading Cybersecurity Information Sharing Act of 2015 Allowed to SunsetCISA Delays Cyber Incident Reporting Rule for Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). According to an entry on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, released on September
Continue Reading CISA Delays Cyber Incident Reporting Rule for Critical InfrastructureOklahoma Substantially Amends Its Data Breach Notification Statute
Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented. The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024). Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.Continue Reading Oklahoma Substantially Amends Its Data Breach Notification Statute
U.S. Government Issues Cybersecurity Warning to Critical Infrastructure Operators and Others
On June 30, 2025, the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) warned U.S. critical infrastructure organizations and other companies that the threat of cyber attacks from Iran-affiliated cyber actors is heightened
Continue Reading U.S. Government Issues Cybersecurity Warning to Critical Infrastructure Operators and OthersTulsi Gabbard’s Confirmation Hearing for Director of National Intelligence: A Preview of a FISA Section 702 Reauthorization Fight?
The Senate Intelligence Committee’s January 30, 2025, confirmation hearing for former Representative Tulsi Gabbard, President Trump’s nominee for Director of National Intelligence, previewed a potentially difficult reauthorization path for Section 702 of the Foreign Intelligence Surveillance Act (“FISA”). While Gabbard appears to now publicly favor reauthorization of Section 702, her
Continue Reading Tulsi Gabbard’s Confirmation Hearing for Director of National Intelligence: A Preview of a FISA Section 702 Reauthorization Fight?New York Adopts Amendment to the State Data Breach Notification Law
On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements. The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach
Continue Reading New York Adopts Amendment to the State Data Breach Notification Law