As we approach the end of the year, here are the Top 5 Cybersecurity posts on the Debevoise Data Blog in 2025.
1. Protecting Privilege in Incident Response: Litigation Lessons (September 15, 2025)
Companies responding to data breaches are faced with the question of whether their incident response investigation can be protected by attorney‑client privilege or the work‑product doctrine. This blog post explores the key questions that U.S. courts analyze when deciding whether reports and communications generated by incident response vendors are discoverable and provides practical guidance on structuring vendor engagements, managing workflows, determining vendor payment sources, document distribution, and drafting reports to maximize the likelihood that these materials receive privilege and work product protections.
2. Lessons for AI Risk Management from Ten Years of Cybersecurity Implementation (May 14, 2025)
As businesses increasingly adopt AI, many are looking for familiar frameworks, and well‑established cybersecurity programs offer natural analogies. In this blog post, we discuss where lessons learned from cybersecurity governance are readily applicable to AI risk management, and where they are not.
3. Financial Services Industry Petitions the SEC for a Rulemaking to Amend the Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule (May 27, 2025)
Five major U.S. financial‑services trade associations, with assistance from Debevoise, formally petitioned the SEC to amend its 2023 cybersecurity disclosure regime. This blog posts highlights specific pitfalls of Form 8-K Item 1.05, as identified by industry, and outlines a proposal for a more balanced, principles-based cybersecurity disclosure regime.
4. SEC’s Focus on Cyber and AI to Continue Under Trump Administration (February 21, 2025)
The SEC announced the creation of a new Cyber and Emerging Technologies Unit (CETU) tasked with combatting cyber‑related misconduct and protecting retail investors from misuse of emerging technologies, including AI. This blog post provides an overview of the announcement, which illustrates that the Trump administration will continue to prioritize SEC cybersecurity and artificial intelligence examinations and enforcement, with a particular emphasis on fraudulent conduct impacting retail investors.
5. Trump Executive Order Puts the Spotlight on Foreign Cyber Threats, Managing AI Vulnerabilities, and Secure Software Development (June 16, 2025)
The Trump Administration issued an Executive Order reprioritizing the federal cybersecurity agenda. The Order underscores foreign nation‑state threats, emphasizes the management of AI‑related vulnerabilities, promotes secure software‑development practices, and rescinds several prescriptive mandates from the prior administration in favor of more flexible guidance. In this blog post, we outline key aspects of the Executive Order and explore possible implications for private companies, including software providers.
***
Summarized by Noah Schwartz and Sharon Shaji. We used ChatGPT to help generate first drafts of the summaries. The cover art for this blog was generated by Gemini 3 Nano Banana Pro.
To subscribe to the Debevoise Data Blog, please click here.
