Topic: Data and cybersecurity

Happy October and Cyber Awareness Month! While October ends with ghosts and goblins and other scary monsters for Halloween, the entire month of October is dedicated to raising awareness of cyber security and preventing (and if necessary responding to) cyber security incidents.

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired on September 30, 2025, after Congress missed the reauthorization deadline. That lapse removes the decade-old legal framework that encouraged and protected cyber threat information sharing among companies, Information Sharing and Analysis Organizations and Centers (ISAOs/ISACs), and the federal government.

In a significant regulatory development, the Cyberspace Administration of China (CAC) has officially issued the Measures for the Administration of National Cybersecurity Incident Reporting (the Final Reporting Measures), which will take effect on 1 November 2025.

On September 1, 2025, Texas amended its telephone solicitation law to include text messages and to add several new requirements, including a registration requirement with the Texas Secretary of State, plus a form of security (such as a bond) in the amount of $10,000.

The financial services sector is becoming increasingly reliant on cloud service providers (CSPs) to fulfil its growing data processing and storage needs. Financial services providers in the United States have reportedly had the highest levels of adoption, operating 54 percent of their workloads in the cloud; and according to the European Central Bank, banks spent 13.5 percent more on cloud outsourcing in 2024 than in 2023.

The European Banking Authority (EBA) is currently consulting on its draft guidelines on the sound management of third party risk (Draft Guidelines), which are intended to replace the 2019 guidelines on outsourcing arrangements (2019 Guidelines).

Financial regulators globally emphasise the importance of financial entities being operationally resilient, which includes the ability to manage and recover from disruptions caused by their service providers. The topic receives significant attention in the financial services sector because the sector is regulated, with the aim of promoting financial system stability.

The Data (Use and Access) Act (DUAA) received Royal Assent on 19 June 2025. The DUAA enacts the changes to the UK’s data protection regime that have been contemplated since the Data: a new direction consultation in 2021.

Regulated financial services sector firms in the Abu Dhabi Global Market (ADGM) have six months to comply with the new Cyber Risk Management Framework announced by the Financial Services Regulatory Authority (FSRA) on 29 July 2025.

On 29 July 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) announced the implementation of a new Cyber Risk Management Framework that will apply to financial sector firms under its supervision.