Preparing for Cybersecurity Regulations [Weekly Cybersecurity Brief]

As cybersecurity awareness has heightened and the threat landscape has widened, a major result has been an increased emphasis on regulation. To bring some consistency to cybersecurity procedures across sectors, there have been guidelines released on incident reporting periods, processes and more. This week, we dive into how such regulatory activity continues to unfold, how entities should further prepare for it and the ways in which this trend will impact business transactions like investing.

Let us begin with the types of regulations that have been drawn up. It is hard to ignore the widespread effects that stem from cyberattacks. They are no longer just isolated cases but pose cross sector and industry risk instead. To deal with this, many governmental agencies have introduced stricter cybersecurity requirements, including the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy and Cybersecurity and Infrastructure Security Agency. Around thirty-six states have also taken more localized action. And on an international level, several other countries have implemented their own rules. Much of this, especially in the U.S., has been focused on introducing updated reporting timeframes for critical infrastructure fields. However, as Harvard Business Review addresses, there has been confusion around what exactly an incident entails in order to fall under these reporting regulations. Additionally, companies operating internationally must figure out how to navigate varying rules. 

In the meantime, there are some steps that organizations can take as they trek this regulatory path. In the Harvard Business Review piece, Stuart Madnick suggests making sure cybersecurity procedures and ransomware policies are “up to task” in addition to getting ready to develop a “Software Bill of Materials.” 

It is also important to stay on top of the new adjustments being made to specific regulations. For example, the New York Department of Financial Services (NYDFS) recently proposed amendments to its cybersecurity requirements for financial services companies. On top of adding a new category of companies that would be covered under such regulations, the changes would require all these companies to undergo specific cybersecurity checks. Some of the requirements include conducting independent audits at least once a year and vulnerability scans weekly. Covered entities must give their CISOs enough power to oversee proper risk management as well, and they must run training programs on incident response plans, phishing attacks and more. 

Another cybersecurity guidance introduced earlier in the year was the SEC’s risk management checklist for private equity funds or private capital firms. The measures would enforce requirements for RIAs and funds and outline that they create Written Information Security Programs (WISPs). They would also have to follow time and procedural guidelines for cyber breach reporting to the SEC and add disclosure statements to marketing materials. As summarized at Forbes, when addressing these regulations, SEC Chair Gary Gensler stated, “Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets… The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”

Key Takeaways:

“New Cybersecurity Regulations Are Coming. Here’s How to Prepare.” – Stuart Madnick, Harvard Business Review

https://hbr.org/2022/08/new-cybersecurity-regulations-are-coming-heres-how-to-prepare

  • Many governmental agencies have introduced stricter cybersecurity requirements, including the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy and Cybersecurity and Infrastructure Security Agency.
  • Much of this has been focused on introducing updated reporting timeframes for critical infrastructure fields. However, there has been confusion around what type of incidents to report.
  • As this gets sorted out, organizations can make sure that cybersecurity procedures are updated and prepare plans such as a “Software Bill of Materials.”

“Proposed Amendments to NY Financial Services Cybersecurity Regulations Impose New Obligations on Large Entities, Boards of Directors and CISOs” – Hunton Andrews Kurth, The National Law Review

https://www.natlawreview.com/article/proposed-amendments-to-ny-financial-services-cybersecurity-regulations-impose-new

  • The New York Department of Financial Services (NYDFS) recently proposed amendments to its cybersecurity requirements for financial services companies.
  • Some of the requirements include conducting independent audits at least once a year and vulnerability scans weekly.
  • Covered entities must give their CISOs enough power to oversee proper risk management as well, and they must run training programs on incident response plans, phishing attacks and more.

“How The Newly Imposed SEC Cybersecurity Rules Impact Private Funds and Investors” – Tara Anderson, Forbes

https://www.forbes.com/sites/forbestechcouncil/2022/08/29/how-the-newly-imposed-sec-cybersecurity-rules-impact-private-funds-and-investors/?sh=3752111e6c70

  • Another cybersecurity guidance introduced earlier in the year was the SEC’s risk management checklist for private equity funds or private capital firms.
  • The measures would enforce requirements for RIAs and funds and outline that they create Written Information Security Programs (WISPs).
  • They would also have to follow time and procedural guidelines for cyber breach reporting to the SEC and add disclosure statements to marketing materials.
Share

You Might Also Like...