The cost of responding to cyber-attacks keeps mounting, federal and state regulators have responded with increased regulations and disclosure requirements enhancing the complexities associated with responding to ransomware attacks and data breaches.
Wiley has looked back at the top cyber issues for 2023 and what they mean for 2024.
The National Cyber security Strategy—which outlined a new era of cyber oversight—as well as an unprecedented effort to regulate cybersecurity, incident response, and reporting in a variety of ways—including new rules and mandates from the Securities and Exchange Commission (SEC), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), Transportation Security Administration (TSA), Environmental Protection Agency (EPA), state regulators (California and New York in particular) among others. We saw a spike in interest in zero trust and software security.
This is a key inflection point in cyber policy, as the federal government touts harmonization while agencies proceed in varied directions.
Willy identified the top ten policy issues that clients and others should consider in 2024, including new regulations, whether zero trust and software assurance have staying power, surveillance issues, CISO roles and risks, the impact of new SEC cyber disclosure rules, and more.
- Incident reporting mandates proliferate – will government really harmonize them?
2024 may be the year that incident reporting mandates reshape the cyber landscape. Government agencies are layering new and varied rules on top of the existing patchwork of state breach reporting and are taking a variety of approaches that may complicate compliance.
The Department of Homeland Security (DHS) reportedly will release a draft of its 72-hour reporting requirements for critical infrastructure under the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA) in the next month or so. The private sector, which already faces a patchwork of incident reporting mandates, is keenly interested in how these broad new rules will take shape.
A variety of other incident and breach reporting regulations continue to emerge from both the federal government and states. For example:
- New SEC cyber incident reporting rules
- The controversial new data breach reporting obligations, mandating breach notifications to consumers, the FCC, and law enforcement for certain data breaches involving a broader range of data than the FCC has typically claimed authority over.
- A new set of requirements for reporting is being contemplated for federal government contractors, as well.
- At state level the New York Department of Financial Services (NYDFS) adoptedamendments to its Cybersecurity Requirements for Financial Services Companies which add to the existing requirement for a covered entity to notify the agency no later than 72 hours after determining a cybersecurity incident has occurred.
- The Office of the National Cyber Director (ONCD), within the Executive Office of the President (EOP) released an RFI in July 2023 that sought comments on how to harmonize cybersecurity regulations. ONCD’s RFI came during the continued onslaught of new cybersecurity proposals and expectations which create complex compliance burdens on organizations across a range of sectors, many of which are already subject to various other cyber incident reporting and regulatory obligations.
Organizations will need to get a handle on all of these competing regulatory requirements. The flow of the multitude and varied number of confidential and public reporting requirements necessarily impacts how the regulators treat incidents and victims.
- New cyber mandates are coming – how far will requirements go?
The government is seeking to “rebalance” responsibilities in cyber as described in the National Security Strategy released in March 2023. As a result, regulators are moving toward new substantive requirements, using varied approaches. DHS has developed Cross-Sector Cybersecurity Performance Goals, which were supposed to be voluntary but are being identified by regulators as part of new requirements.
National security agencies and regulators partnered to offer recommendations for the private sector which called on technology manufacturers to take ownership of improving the security outcomes of their customers and to break the vicious cycle of creating and applying fixes. In October, the government released Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default, with international peers, advising providers to implement “secure-by-default” designs and in some cases override customers’ security choices. The move to recommending secure-by-design further highlights the government’s embrace of cybersecurity performance goals, originally developed for critical infrastructure, as setting an important bar for other sectors as well.
Other agencies are moving forward with operational and administrative mandates, like the third Security Directive released by the TSA for rail and
- Zero trust gets codified – is it a catch phrase or a concept with staying power?
2023 brought attempts to codify “zero trust” as the government continued to promote the security concept and vendors started selling it. NIST and other parts of government, including the President’s National Security Telecommunications Advisory Committee (NSTAC), began looking at zero trust years ago; the concept is that assets and users accounts should not be trusted based solely on their physical or network location or ownership is not new.
In 2024, how zero trust evolves,reserachers will study and whether it turns out to be a buzz word for familiar ideas, or if it has staying power in mandates and contract requirements. If the latter, we will be interested in how prescriptive and predictable those turn out to be.
- Software development and assurance mandates come to life—how will attestation issues be resolved?
The Federal Government is developing requirements for vendors to demonstrate secure software development practices—a task assigned in the 2021 Executive Order 14028, Improving the Nation’s Cybersecurity. CISA and the Office of Management and Budget (OMB) have moved forward with a common form for “Secure Software Development Attestation months of OMB approval, and within six months of OMB approval for all other software.
The forthcoming mandates for government contractors, the Cybersecurity and Infrastructure Security Agency (CISA) continues to emphasize its “Secure by Design” campaign.
With mandates for government contractors coming soon, and the government continuing to emphasize changes to software development business practices, companies should be looking to assess their existing programs against government guidance, engage with the appropriate agencies to help them understand existing practices and tradeoffs, and consider expanding compliance programs to address new requirements.
- Surveillance issues will be prominent, from FISA Section 702 reauthorization to government network monitoring – how will government balance national security and privacy interests and protect compliant companies?
It’s important to national security to ensure that the Intelligence Community can fulfil its vital mission of protecting the country in an increasingly dangerous world as geo-political tensions exploded on multiple fronts by the end of 2023. At the same time, U.S. person privacy interests need to be protected. Congress should also consider the needs of companies subject to this form of compulsory legal process. Companies on the receiving end of a FISA Section 702 directive want predictable standards and processes so that they understand whether they operate covered services and what they are expected to produce to the government. Companies also seek civil immunity from lawsuits when they respond to, and comply with, lawful government process in good faith.
- Pressure and focus on CISOs continue – how will risks to CISOs expand?
In a first for the SEC, the SEC charged a company’s chief information security officer (CISO) with fraud for allegedly making misleading statements in SEC filings related to their company’s known cybersecurity risks.
The SEC’s action likely previews the increased scrutiny that CISOs will face going forward. Among other things, the SEC’s action emphasized that CISOs must have in place robust cybersecurity policies and procedures, be prepared to promptly escalate known security issues, document internal discussions, decisions and judgment calls in the event of an incident, and carefully review the accuracy of any public statements or disclosures about the breach.
- SEC disclosures will influence public discussions of cyber incidents – will the new rules routinize partial information sharing or make companies embrace the unknown?
The SEC’s enforcement actions related to cybersecurity take on a new urgency in 2024. FBI have issued supplemental guidance indicating that companies will be able to obtain delays in public reporting for national security reasons only in limited circumstances, so public companies will have to make fast and accurate determinations about what information to disclose.
Now that the SEC rules are in effect, the press, regulators, and even criminals are closely watching for cybersecurity incident disclosure 8-Ks.
Companies will need to develop and practice their capabilities to produce the mandated disclosures in compliance with the SEC’s rule amidst the atmosphere of uncertainty and disruption that material cybersecurity incidents bring.
- DHS/CISA will be put to the test as CIRCIA shifts the agency’s role – how will this impact the private sector?
As mentioned above, CIRCIA requires CISA to create broad new rules for critical infrastructure to report a “significant cyber incident” to CISA within 72 hours and report a ransomware payment within 24 hours.
The parameters surrounding the reporting of incident and ransomware payments will be determined during the rulemaking. CISA is required to issue a Notice of Proposed Rulemaking (NPRM) within 24 months of enactment and a final rule within 18 months following the NPRM. CIRICA signals a significant shift in the role of CISA, which has not previously acted as a regulator of critical infrastructure and instead functions through collaboration and partnership with critical infrastructure particularly on cybersecurity.
AI and cyber policy interact as regulatory interest in AI explodes
Every regulator and legislator appears to be interested in artificial intelligence, with myriad proposals progressing at the state and federal level.
Security challenges associated with AI parallel cybersecurity challenges associated with previous generations of software that manufacturers did not build to be secure by design, putting the burden of security on the customer.
Although AI software systems might differ from traditional forms of software, fundamental security practices still apply.”
Researchers set up a working group at Wiley to address cross-sector AI issues, and we are closely following for 2024 how regulators and legislators will address AI and whether cyber will drive new regulation of AI.
(Image courtesy: news.networktigers.com)
