New Cybersecurity Regulations
New Cybersecurity Regulations Are Coming. Here’s How to Prepare.
Cybersecurity has reached a tipping point. After decades of private-sector organizations more or less being left to deal with cyber incidents on their own, the scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.
Now, governments feel a need to “do something,” and many are considering new laws and regulations. Yet lawmakers often struggle to regulate technology — they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward.
In the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation. Globally, there are many initiatives such as China and Russia’s data localization requirements, India’s CERT-In incident reporting requirements, and the EU’s GDPR and its incident reporting.
Companies don’t need to just sit by and wait for the rules to be written and then implemented, however. Rather, they need to be working now to understand the kinds of regulations that are presently being considered, ascertain the uncertainties and potential impacts, and prepare to act.
What We Don’t Know About Cyberattacks
To date, most countries’ cybersecurity-related regulations have been focused on privacy rather than cybersecurity, thus most cybersecurity attacks are not required to be reported. If private information is stolen, such as names and credit card numbers, that must be reported to the appropriate authority. But, for instance, when Colonial Pipeline suffered a ransomware attack that caused it to shut down the pipeline that provided fuel to nearly 50% of the U.S. east coast, it wasn’t required to report it because no personal information was stolen. (Of course, it is hard to keep things secret when thousands of gasoline stations can’t get fuel.)
As a result, it’s almost impossible to know how many cyberattacks there really are, and what form they take. Some have suggested that only 25% of cybersecurity incidents are reported, others say only about 18%, others say that 10% or less are reported.
The truth is that we don’t know what we don’t know. This is a terrible situation. As the management guru Peter Drucker famously said: “If you can’t measure it, you can’t manage it.”
What Needs To Be Reported, by Whom, and When?
Governments have decided that this approach is untenable. In the United States, for instance, the White House, Congress, the Securities and Exchange Commission (SEC), and many other agencies and local governments are considering, pursuing, or starting to enforce new rules that would require companies to report cyber incidents — especially critical infrastructure industries, such as energy, health care, communications and financial services. Under these new rules, Colonial Pipeline would be required to report a ransomware attack.
To an extent, these requirements have been inspired by the reporting recommended for “near misses” or “close calls” for aircraft: When aircraft come close to crashing, they’re required to file a report, so that failures that cause such events can be identified and avoided in the future.
On its face, a similar requirement for cybersecurity seems very reasonable. The problem is, what should count as a cybersecurity “incident” is much less clear than the “near miss” of two aircraft being closer than allowed. A cyber “incident” is something that could have led to a cyber breach, but does not need to have become an actual cyber breach: By one official definition, it only requires an action that “imminently jeopardizes” a system or presents an “imminent threat” of violating a law.
This leaves companies navigating a lot of gray area, however. For example, if someone tries to log in to your system but is denied because the password is wrong. Is that an “imminent threat”? What about a phishing email? Or someone searching for a known, common vulnerability, such as the log4j vulnerability, in your system? What if an attacker actually got into your system, but was discovered and expelled before any harm had been done?
This ambiguity requires companies and regulators to strike a balance. All companies are safer when there’s more information about what attackers are trying to do, but that requires companies to report meaningful incidents in a timely manner. For example, based on data gathered from current incident reports, we learned that just 288 out of the nearly 200,000 known vulnerabilities in the National Vulnerability Database (NVD) are actively being exploited in ransomware attacks. Knowing this allows companies to prioritize addressing these vulnerabilities.
On the other hand, using an overly broad definition might mean that a typical large company might be required to report thousands of incidents per day, even if most were spam emails that were ignored or repelled. This would be an enormous burden both on the company to produce these reports as well as the agency that would need to process and make sense out of such a deluge of reports.
International companies will also need to navigate the different reporting standards in the European Union, Australia, and elsewhere, including how quickly a report must be filed — whether that’s six hours in India, 72 hours in the EU under GDPR, or four business days in the Unites States, and often many variations in each country since there is a flood of regulations coming out of diverse agencies.
What Companies Can Do Now
Make sure your procedures are up to the task.
Companies subject to SEC regulations, which includes most large companies in the United States, need to quickly define “materiality” and review their current policies and procedures for determining whether “materiality” applies, in light of these new regulations. They’ll likely need to revise them to streamline their operation — especially if such decisions must be done frequently and quickly.
Keep ransomware policies up to date.
Regulations are also being formulated in areas such as reporting ransomware attacks and even making it a crime to pay a ransom. Company policies regarding paying ransomware need to be reviewed, along with likely changes to cyberinsurance policies.
Prepare for required “Software Bill of Materials” in order to better vet your digital supply chain.
Many companies did not know that they had the log4j vulnerability in their systems because that software was often bundled with other software that was bundled with other software. There are regulations being proposed to require companies to maintain a detailed and up-to-date Software Bill of Materials (SBOM) so that they can quickly and accurately know all the different pieces of software embedded in their complex computer systems.
Although an SBOM is useful for other purposes too, it may require significant changes to the ways that software is developed and acquired in your company. The impact of these changes needs to be reviewed by management.
What More Should You Do?
Someone, or likely a group in your company, should be reviewing these new or proposed regulations and evaluate what impacts they will have on your organization. These are rarely just technical details left to your information technology or cybersecurity team — they have companywide implications and likely changes to many policies and procedures throughout your organization. To the extent that most of these new regulations are still malleable, your organization may want to actively influence what directions these regulations take and how they are implemented and enforced.
Acknowledgement: This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium.
CyberSecurity Regulation. The Move Towards Board Involvement
Credit : Behavior Group , click here
Regulators are the catalyst for stronger measures in cyber security, and new regulation from the EU is going to have a serious impact on organizations that process EU citizen data. After four years of diligence and debate, The EU Parliament approved the Global Data Protection Regulation (GDPR) on April 14, 2016. It will enter into effect on May 25, 2018, at which time those organizations in non-compliance will face heavy fines.
“GDPR is a revolutionary regulation, brought in to replace the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy, bringing cyber into the boardroom,” according to Ariel Evans.
The key articles of the GDPR, as well as information on its business impact are of high interest to boards and senior executives. Under GDPR, organizations could suffer from hefty fines of up to 4% of annual global turnover or €20 Million, whichever is greater, in case of a breach.
Such a fine could be enforced for serious infringement such as not ensuring the security of the systems that process EU citizen data and lack of risk assessments. Member states can also add to these fines. The Netherlands, for instance, has more than doubled its own fining capacity to 10% of annual revenues.
The idea is to make organizations proactive about their security at a boardroom level and prevent data breaches of EU nationals from occurring.
“Alignment with these requirements can reduce the chances of triggering a Data Protection Authority (DPA) to investigate a company’s privacy practices,” notes Evans. European privacy advocates are pressuring DPAs to fully exercise these new powers after May 2018. To manage this risk, multinationals should have a means to demonstrate alignment with the GDPR requirements and communication of this program with DPAs that have jurisdiction over their major European operations.
“GDPR compliance also helps to mitigate their other business cybersecurity risks,” explains Evans. “There are many, many similarities between GDPR and other global regulations relating to data protection and privacy. The impact however is greater and its scope is extensive.”
The regulation applies if the organization or data processor is processing EU citizen data. This includes organizations based outside the European Union if they process personal data of EU residents, expanding the scope to all global organizations regardless if they’re based in Europe or abroad.
Says Evans, “GDPR consists of about 100 different articles, including the need to conduct a Privacy Impact Assessment (PIA), protect customer data, as in applications need to be secured by default and by design, and requires system risk assessments, as well as articles related to the rights of customers, for example, to ‘be forgotten,’ and 72-hour breach notification notice.
“Preparing for the GDPR and complying with its obligations once it enters into force will require significant resources and commitment from companies. Automating as much of the requirements will reduce costs and resource requirements.”
On top of that, less than 20% of organizations are ready for GDPR: “Setting up an adequate structure and determining responsibilities will be an essential first step,” explains Evans.
She continues, “On the operational level, a PIA is needed to assess your current security controls to determine the effectiveness of the confidentiality and integrity of your systems. Based on these findings, a risk assessment will determine where to focus your cyber security control needs.”
GDPR will change the way organizations move from check box compliance to proactive security programs with board involvement. Since regulator can request information at any time, not having it is an immediate breach of the regulations. Additionally, GDPR impacts the supply chain and compliance requests from other organizations will become a prerequisite to do business with the EU.
After the GDPR is in full effect, only time will tell the effectiveness of this regulation and its impact on consumer security
To read more Cybersecurity Leadership articles , click here