As the Russian-Ukraine conflict enters its second year, the cybersecurity industry will recall the signing of the March 22, 2022, cyber incident reporting law by US President Joe Biden. This law mandates both public and private entities to report critical infrastructure attacks(1) within 72 hours. The law covers all major sectors(2) deemed critical to the nation’s economy and citizens. Additionally, the act makes it compulsory for organizations to report any ransomware payments within 24 hours to the Cybersecurity and Infrastructure Agency (CISA), which operates under the US Department of Homeland Security (DHS).
Tipping point
Coming in the wake of the audacious 2021 attacks that significantly crippled the JBS food chain and the Colonial Pipeline supply chain by hacker groups, the enactment was a follow up to the 2021 executive order empowering the federal government to protect its systems.
Yet though these nation-state attacks seemed to constitute the tipping point for regulatory measures, the seemingly endless stream of vicious cyberattacks over the years had already long made the point for enhanced data privacy and cybersecurity regulatory measures.
The here and now
The US already has a well-established cybersecurity structure in place, covering a number of industries (3) from health (HIPAA), defense (CMMC), law (various state legislations including the American Bar Association’s Model Rules of Professional Conduct), retail (Payment Card Industry Security Council’s Data Security Standard (PCI DSS) for major credit card companies), Consumer Data (Federal Trade Commissions’ enactment prevalent in 47 states), Insurance [State Department of Financial Services (DFS)], and Energy [Federal Energy Regulatory Commission (FERC)].
No longer content with sitting back and relying on organizations and individuals to focus on improving their security postures and the industry as a whole to achieve cybersecurity maturity, governments worldwide have switched to a “do something” mode, with many considering or implementing new laws and regulations.
Approximately 120 countries (60% of the world’s sovereign states) have already established data privacy laws, with many having draft legislations in the pipeline. Yet interestingly the focus has been on data privacy laws involving the exfiltration of personal data and less on reporting of cybersecurity incidents. Harvard Business Review (HBR) (4) points out that, going by the book, even the Colonial Pipeline hack was essentially not required to be reported as there was no loss of personal data.
More is coming up
Late 2022 in the US saw legislation in many states (5) being passed to effect a number of measures covering:
- Cybersecurity training and establishment of formal security policies
- Funding for cybersecurity programs and practices in state agencies, local governments, and schools
- Security practices in elections
- Programs for workforce training and education
More is on the cards. Harvard Business Review (HBR) writes that ‘in the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules.’
Gartner (6) predicts that 2023 should see global government regulations requiring organizations to provide consumer privacy rights, which will cover 5 billion citizens and more than 70 percent of the global GDP. In another article Garner (7) predicts that by 2023, “65% of the world’s population will have personal data covered under modern privacy regulations, up from 10% in 2020.” There is also the case of the new GDPR-centric privacy legislation that makes it mandatory for organizations to concern themselves with data they store not merely in the country they’re operating in, but globally.
The Challenges
The decision to introduce firmer laws globally seems justified especially when there still appears ambiguity as to the reporting status of cyber incidents. HBR says their studies indicate that only 25% of cybersecurity incidents are reported, while the figures are variously reported as being as low as 18% and 10%.
Many cybersecurity experts feel that despite the imminent advent of further regulatory requirements and pressures, there are quite a few challenges that will need to be addressed. At a global level, these could be said to include:
- Involvement on the part of lawmakers in understanding and regulating technology as well, and not only privacy and reporting regulations
- Clarity by organizations on as to what exactly comprises a ‘meaningful cybersecurity incident’ for example where attempted breaches and actual breaches are involved
- Difficulties associated with repeated and voluminous reporting of incidents
- International companies to contend with understanding regulations of diverse national agencies due to various reporting timelines provided by these laws
What organizations need to be doing
Aside from tightening their security postures, organizations would do well to proactively examine existing privacy rules and incident reporting regulations and upcoming legislations so as to be prepared in advance. They would also need to:
- Develop a clear understanding of the privacy landscape from a global perspective
- Develop a clear perspective of ransomware implications especially as many countries are considering make it a crime to settle ransomware demands
- Fully understand their ‘Software Bill of Materials’ – the endless bundles of software that come embedded in each other (4) – that is provided by their digital supply chains
- Thoroughly review their cyber insurance position and policies
Although targeted towards the financial industry, KPMG’s (8) insights on risk management and governance, data collection and usage, and privacy can serve as a valuable reference for all organizations as they navigate their regulatory path
Final words
Despite the recessionary trends, the cyber industry is likely to experience, in the remaining part of 2023 (an increasing number of majors are announcing lay-offs), there is little doubt that both privacy and reporting regulations are going to be key players in the dynamic cyber landscape. Caught in the headwinds of recession and forthcoming legislations, organizations will be called to equip themselves adequately to ride out the storm.
As Michael Blackshear, SVP Chief Compliance & Privacy Officer | Head of Diversity, Equity, & Inclusion, Ryan Specialty puts it in the KPMG Insights article: “Privacy and Data Security will continue to be a growing compliance and regulatory concern that will challenge organizations with finding innovative ways to safeguard customer, clients, and employees’ sensitive and personal identifiable information.”
References:
- Gibson Dunn: President Biden Signs into Law the Cyber Incident Reporting
- Attacks on Critical Infrastructure – An Uphill Battle | Aurora (aurorait.com)
- A Brief Guide to US Cybersecurity Regulations by Industry – TrinWare
- New Cybersecurity Regulations Are Coming. Here’s How to Prepare. (hbr.org)
- Cybersecurity Legislation 2022 (ncsl.org)
- Top cybersecurity predictions for 2023 and beyond: Gartner – InfotechLead
- Six Cybersecurity Trends You Can Expect In 2023 (forbes.com)
- Data and Cybersecurity: 2023 Regulatory Challenges (kpmg.us)