The Biden administration — less than a year after launching its national cybersecurity strategy — is moving forward with efforts to protect critical infrastructure, hold manufacturers accountable for product security and compel private sector companies to disclose material events.
Concerns about cyber risk have become one of the most pressing issues facing companies today. The annual Allianz Risk Barometer showed cyber events — including data breaches, ransomware and IT outages — are the top concern for U.S. businesses, replacing business interruption.
Baker McKenzie’s 2024 dispute forecast found cybersecurity and data privacy are the two leading concerns in terms of investigations.
Fueled by a surge in malicious cyber threats from criminal ransomware and rogue nation-states, the push for cybersecurity regulation is expected to reach new heights in 2024.
The new and enhanced regulatory environment is forcing companies to take a more proactive risk management approach so they can identify potential threats before they escalate into cyber incidents, according to Cyrus Vance, former Manhattan district attorney and the co-chair of Baker McKenzie’s North America Enforcement Practice.
“This will involve creation of more robust risk assessment processes, continuous monitoring and implementation of more advanced security measures,” Vance said via email.
As an example, Vance cited enhanced regulations from the New York State Department of Financial Services, which will require companies to certify cyber resilience and preparedness.
Public companies are closely watching the Securities and Exchange Commission case against SolarWinds for guidance on how enterprises and key executives should disclose material events and be transparent about cyber risk.
The SEC caused shock waves across much of the cyber community by filing civil charges against SolarWinds and CISO Tim Brown for allegedly misleading investors about the known risk factors prior to the 2020 Sunburst attack by state-linked threat actors.
“So the name of the game for the SEC cybersecurity rule is materiality,” said Jennie Wang VonCannon, a partner at Crowell & Moring, who previously served as a federal prosecutor.
Companies are taking a closer look at what they have told investors in the past about cyber risks and considering whether they want to update that information moving forward. Organizations are also working to make sure they are prepared, developing incident response plans, and conducting tabletop exercises.
The goal is to ensure that if and when there is a serious incident, they can respond quickly.
This is especially important because under the SEC rules, which companies were required to comply with in December, publicly traded companies have four business days from materiality determination to report an incident to the SEC.
Critical infrastructure providers will also be subject to additional reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act. CISA is expected to publish the Notice of Proposed Rulemaking and open up for public comments by March.
Enforcement pushback
SolarWinds is pushing back against the SEC allegations, insisting that it repeatedly warned investors about the risk of attack and claiming the agency is trying to “move the goalposts” after the company cooperated with authorities for three years, according to a Friday court filing.
"SolarWinds made proper, accurate disclosures both before and after the unprecedented Sunburst cyberattack, which is why this case should be dismissed,” the company said in a statement.
The real challenge for companies is not determining the immediate financial impact, but the qualitative materiality, according to Joe Nocera, partner leader of cyber risk and regulatory marketing at PwC.
“Damages to reputation, loss of future revenue streams from lost intellectual property, customer satisfaction, potential regulatory actions — that's not nearly as mathematical of a calculation,” Nocera said via email. “So, it's important for companies to develop a qualitative, well-documented framework for making a materiality determination.”
Another major push by federal authorities is to raise the minimum standards for product security, particularly those used in enterprise applications and hardware devices.
The Cybersecurity and Infrastructure Security Agency has urged software developers and technology manufacturers to embrace secure by design and secure by default principals. This would push companies to bake security considerations into product development lifecycles, shifting away from requiring users to make extensive configuration changes after they install an application or new device.
In late December, CISA issued a request for industry input on how to implement the secure by design effort, focusing on ways to reduce product vulnerabilities and incorporate product security into higher education.
Bryan Willett, CISO at Lexmark, welcomes the advancement of additional cybersecurity regulations as a way to advance product security.
“There are numerous companies that prioritize the security of their offerings,” Willett said via email. “However, there are even more companies that develop a product, sell it, and then neglect it.”
As companies and consumers become more reliant on cloud-based services and connected devices, they need assurances about the level of trust they can place in any of these products, Willett said.
Change abroad
The regulatory landscape is not only an issue in the U.S. In late November, an agreement was reached on the European Union's Cyber Resilience Act, which will require all digital products sold in the EU to meet minimum cybersecurity standards.
The standard will apply to consumer products, like smart watches and televisions, and hardware and software used in enterprise settings.
Companies will be required to implement secure development measures “across the entire lifecycle of the product, from the design and development, to after the product is placed on the market,” a spokesperson for the European Commission said.
Like other regional efforts, including the General Data Protection Regulation, the practical effect will be to raise standards for multinational manufacturers, no matter where the company is based.
The Biden administration proposed its own security labeling program last summer, called the U.S. Cyber Trust Mark, which would create a certification for smart devices that met certain security standards.
Smart devices, ranging from connected security cameras to medical devices and networking equipment, are targeted by hackers billions of times per year.
“The fundamental issue is that incentives matter and as things stand now, device manufacturers and software vendors are rarely, if ever, held legally responsible for cybersecurity failures,” FCC Commissioner Nathan Simington said in a December speech before the Practicing Law Institute Conference.
Simington, an original supporter of the program, said products being granted a Cyber Trust Mark should have to meet a high security standard, and federal purchases should have to meet that standard. Simington also said manufacturers should not be granted a liability shield.
