Lower barriers to entry for cyber threats, more aggressive methods of attack, a shortage of cybersecurity professionals, and disparate governance mechanisms compound the risk of cybercrime. Cyberattacks, especially those involving ransomware, have become even more financially motivated, multilayered and audacious. Additionally, the large-scale shift to remote working caused by the Covid-19 pandemic has transformed the cybersecurity landscape..
Below are the top regulatory trends impacting the topic of cybersecurity, as identified by GlobalData.
Reporting Cyber Security Breaches of U.S. Banks
The impact of the new cybersecurity incident reporting rules on US banks will be significant. The rules mean that US banks must notify federal regulators of any cybersecurity incident within 36 hours of discovery. Security personnel will need to ensure that appropriate technical, administrative and physical safeguards are in place to discover computer security incidents and have policies and procedures in place to determine if they reach the level of a notification incident. . They will also need to maintain appropriate regulatory contact points so that the agency can be contacted quickly if needed.
Supply Chain Security Cooperation
Governments around the world, including the United States, France, and the United Kingdom, are beginning to take supply chain security seriously and cooperate to prevent supply chain attacks. In May 2021, the U.S. government issued an executive order to bolster supply chain security following a series of cyberattacks, including the attack on SolarWinds network management tools in December 2020, which impacted up to 18,000 organizations.
The US executive order mandated the development of security standards for software sold to the US government to address vulnerabilities in software supply chains, including requiring developers to provide greater visibility into their software. In the UK, the Government Cybersecurity Breaches Survey 2021 found that only 12% of companies have reviewed the cybersecurity risks posed by their suppliers, and 5% have done so for their supply chain within the meaning of wide. One of the main concerns is the low recognition of supplier risk: many organizations were often unaware of how their suppliers’ cybersecurity related to their own security.
Greater international cooperation is now envisaged to combat the threats. In November 2021, following a meeting with French President Emmanuel Macron, US Vice President Kamala Harris said that the United States would subscribe to a framework proposed by the French government for cooperation on cybersecurity and supply chain security.
Mandatory disclosure of cyberattacks
The U.S. Securities and Exchange Commission (SEC) and the U.S. Senate are tightening rules on mandatory cyberattack disclosure. It follows a call for more robust reporting rules after the 2021 spate of ransomware attacks against the Colonial Pipeline, meat processor JBS and software company Kaseya, among others.
The new rule proposed by the SEC in March 2022 would require public companies to disclose cyberattacks within four days, along with periodic reports on their cyber risk management plans. Specifically, the proposed rule would change reporting requirements to include disclosure of cybersecurity incidents “within four business days after the reporter determines that they have experienced a significant cybersecurity incident.”
In March 2022, the US Senate also unanimously passed the Strengthening American Cybersecurity Act of 2022. It would, among other things, require critical infrastructure operators and federal agencies to report cyberattacks and ransomware payments.
The incremental changes in disclosure thinking follow a call from Microsoft President Brad Smith for mandatory disclosure of cyberattacks. Smith urged U.S. lawmakers to impose a duty on businesses and organizations to report any cyberattacks they face to better protect the country from incidents such as breaches of SolarWinds systems.
European cybersecurity legislation
Creating new laws to deal with cybersecurity is a challenge for a country. It is even more difficult to introduce them in 27 countries. A new EU bill, NIS2, sets stricter cybersecurity obligations for risk management, reporting obligations and information sharing. The law will introduce new rules in EU member states to improve the security of networks and information systems.
EU countries should adhere to stricter monitoring and enforcement measures and harmonize their sanctions regimes. Requirements include incident response, supply chain security, encryption, and vulnerability disclosure, among other provisions. The directive also establishes a framework for better cooperation and information sharing between authorities and member states and creates a European database on vulnerabilities.
The original EU cybersecurity directive was put in place in 2017, but EU countries have all implemented it differently, leading to insufficient levels of cybersecurity. Several issues still need to be resolved under NIS2, including reporting requirements in the event of a cyber incident. Once approved, the law is expected to come into force by 2024.
Consumer Software Security Standards
The US government wants consumers to care more about whether their internet-connected devices are hackable or not. He wants to go beyond increasing cyber defenses in critical industries to try to change the way people think about cybersecurity. It remains to be seen whether other countries will copy the movement.
The effort emerged from President Biden’s Executive Order on Cybersecurity in May 2021, and it was launched by the US National Institute of Standards and Technology (NIST). NIST plans to create a certificate program that verifies that Internet-connected devices meet basic cyber standards, such as accepting software patches and giving users control over what information devices collect and share about them. .
This is an edited excerpt from Cybersecurity – Thematic research report produced by GlobalData Thematic Research.