Cybersecurity: Regulatory Trends

62

Lower barriers to entry for cyber threat actors, more aggressive attack methods, a shortage of cyber security professionals, and patchwork governance mechanisms all increase the risk of cyber crime. Cyberattacks, particularly those involving ransomware, have become even more financially motivated, complex, and daring. Additionally, the large-scale shift toward remote working caused by the Covid-19 pandemic has transformed the cybersecurity landscape.

Below are the key regulatory trends impacting the cybersecurity issue as identified by GlobalData.

Reporting on cybersecurity breaches by US banks

The impact of the new cybersecurity incident reporting regulations on US banks will be significant. The rules require US banks to notify federal regulators of cybersecurity incidents within 36 hours of discovery. Security personnel must ensure that appropriate technical, administrative, and physical safeguards are in place to detect computer security incidents and have policies and procedures in place to determine if they reach a notification incident level. They must also maintain appropriate regulatory contact points so that the agency can be contacted quickly should the need arise.

Working together on supply chain security

Governments around the world, including the US, France and the UK, take supply chain security seriously and are working together to prevent supply chain attacks. In May 2021, the US government issued executive orders to improve supply chain security after a series of cyberattacks, including the attack on SolarWinds’ network management tools in December 2020 that affected up to 18,000 companies.

The US executive order mandated the development of security standards for software sold to the US government to address vulnerabilities in software supply chains, including requiring developers to be more transparent about their software. In the UK, the Government’s Cyber ​​Security Breaches Survey 2021 found that only 12% of companies have assessed the cybersecurity risks posed by their suppliers and 5% have done so across their entire supply chain. A key concern is low recognition of supplier risk: Many organizations are often unclear about how their suppliers’ cybersecurity was linked to their own security.

Greater international cooperation is now the order of the day to combat threats. In November 2021, after meeting French President Emmanuel Macron, US Vice President Kamala Harris said the US would join a framework offered by the French government for cooperation on cyber and supply chain security.

Disclosure obligation of cyber attacks

The US Securities and Exchange Commission (SEC) and US Senate are tightening cyber-attack disclosure rules. It follows a call for stricter reporting rules following the 2021 series of ransomware attacks against Colonial Pipeline, meat processor JBS and software company Kaseya, among others.

The new rule, proposed by the SEC in March 2022, would require public companies to disclose cyberattacks within four days, along with regular reports on their cyber risk management plans. In particular, the proposed rule would amend reporting requirements to include disclosure of cybersecurity incidents “within four business days after the registrant becomes aware that it has experienced a material cybersecurity incident”.

In March 2022, the US Senate also unanimously passed the Strengthening American Cybersecurity Act of 2022. Among other things, this would require operators of critical infrastructure and federal agencies to report cyber attacks and ransomware payments.

The gradual changes in disclosure thinking follow a call from Microsoft President Brad Smith for mandatory disclosure of cyberattacks. Smith called on US lawmakers to require companies and organizations to report any cyberattacks they face to better protect the country from incidents like the SolarWinds system breach.

EU legislation on cybersecurity

Creating new laws to deal with cybersecurity is a challenge for a country. It is even more difficult to introduce them in 27 countries. A new EU draft law, NIS2, establishes stricter cybersecurity obligations in terms of risk management, reporting requirements and information sharing. The law will introduce new rules in all member states of the EU to improve the security of networks and information systems.

EU countries would have to take stricter supervisory and enforcement measures and harmonize their sanctions regimes. The requirements include incident response, supply chain security, encryption and disclosure of vulnerabilities, among others. The directive also creates a framework for better cooperation and information sharing between authorities and member states and creates a European vulnerability database.

The original European cybersecurity directive was introduced in 2017, but EU countries have all implemented it differently, resulting in insufficient levels of cybersecurity. A number of issues remain to be resolved under NIS2, including reporting requirements in the event of a cyber incident. Once passed, the law is expected to come into force by 2024.

Security standards for consumer software

The US government wants consumers to care more about whether their internet-connected devices are hackable or not. It wants to go beyond increasing cyber defenses in critical industries and try to change the way people think about cybersecurity. It remains to be seen whether other countries will copy the move.

The effort emerged from President Biden’s Cybersecurity Executive Order in May 2021 and was driven by the US National Institute of Standards and Technology (NIST). NIST plans to create a certification program that will verify that Internet-connected devices meet basic cyber standards, such as: B. Accepting software patches and allowing users to control what information the devices collect and share about them.

This is an edited excerpt from the Cybersecurity – Thematic Research Report prepared by GlobalData Thematic Research.

Source link
#Cybersecurity #Regulatory #Trends

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.