Regulatory prescience ... revisited.
June 2023
I previously introduced the "regulatory prescience" concept to highlight the significance of staying informed about cybersecurity and data privacy regulatory developments. As there are currently no comprehensive federal laws addressing cybersecurity or data privacy, federal and state regulators have followed mainly the actions of European regulators in addressing cybersecurity, risk management, compliance, and now AI regulation. This trend shows no signs of slowing down, reinforcing that businesses in all sectors should continue prioritizing cybersecurity governance and risk management practices. These regulatory developments will continue to impact third parties throughout the supply chain, regardless of whether a business is directly regulated.
At issue last year were the?New York Department of Financial Services (DFS) cybersecurity requirements?requiring policies and procedures designed to ensure security and confidentiality. I also highlighted the Security and Exchange Commission's (SEC) proposed?Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule?to enhance and standardize cybersecurity risk management and incident reporting. The final rule was expected in April but has garnered additional attention putting a final rule on hold for a bit longer. One thing seems clear; the new rule will undoubtedly put extra pressure on publicly traded company boards to ensure appropriate cybersecurity expertise, among other requirements. Also, you may remember that the Federal Trade Commission?announced?a proposed rulemaking to address privacy regulations and data security. Beyond rulemaking, the?SEC?and?FTC?intend to pursue investigations and enforcement actions.?
Recall that the?DFS rule extends to third parties that provide services to a DFS-regulated entity and, through its services, are permitted access to nonpublic information. Third-party providers should expect similar requirements from the SEC, FTC, or [fill in your favorite regulator here]. So, let's look at what has transpired since October and what it means for businesses or third-party partners in today's complex technology and cyber landscape.
The SEC has been busy.
Notably, the SEC Identified in its?2023 Examination Priorities?that cybersecurity remains a focus in light of "market events, geopolitical concerns, and the proliferation of cybersecurity attacks, particularly ransomware attacks."?
The SEC plans to concentrate on registrants' policies, procedures, governance practices, regulatory compliance, operational resiliency, and cyber-related incident response, including ransomware attacks. While the focus may differ depending on registrant class, the SEC plans to examine whether policies and procedures are "reasonably designed to safeguard customer records and information, "including internal information systems and data stored via a third-party provider. Examinations will also highlight practices to prevent account intrusions and protect customer records and personally identifiable information. Moreover, the SEC has signaled that it will sharpen its focus on cybersecurity issues of third-party vendors and the security and integrity of their products and services.
Predictably, the SEC's FY 2024 budget request includes 50 additional enforcement positions to prosecute 'misconduct involving new and emerging issues such as crypto assets and cybersecurity.'
Recognizing the continuing threats that cybersecurity risks pose to the US Securities Markets, the SEC announced several rule amendments consistent with examination priorities to enhance information protection, extending requirements for safeguards to a broader pool of registrants.?
The SEC's?proposed enhancements to Regulation S-P?would require, among other things that covered businesses to adopt written incident response procedures to address unauthorized access to customer information, as well as have policies and procedures for timely notification to individuals whose sensitive information was or is reasonably likely to have been accessed without authorization.?
The proposed?Cybersecurity Risk Management Rule?would add new rules and amendments to existing ones, requiring various entities to address cybersecurity risks through policies and procedures, immediately report significant cybersecurity incidents, and improve transparency through public disclosures. The proposal also includes record retention and compliance provisions.?
The SEC also proposes amendments to?Regulation Systems Compliance and Integrity?(Regulation SCI) to broaden the definition of "SCI entity" and update provisions to account for technological advancements. The expansion would apply to "market participants that play a significant role in the U.S. securities markets and have the potential to impact investors, the overall market, or the trading of individual securities." The proposed updates cover systems classification, lifecycle management, third-party management, and cybersecurity.
There are mixed?views?regarding the proposed SEC regulations. Some groups believe the regulations are overly burdensome and contradictory, while others argue that the SEC should take a more stringent approach. Nevertheless, there is a clear trend toward enhancing cybersecurity governance and oversight, with an expanding list of businesses subject to regulations.?
领英推荐
Others have been busy, too.
In other developments, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Treasury Department's Office of the Comptroller of the Currency issued?final interagency guidance?for third-party risk management. The guidance provides practical risk management principles for banking institutions to follow when developing and implementing risk management practices for third parties and evaluating operational resilience and cybersecurity measures. This includes analyzing disaster recovery plans, assessing business continuity practices, and reviewing the adequacy of cybersecurity insurance. Additionally, vendor contracts should reflect these operational resilience and cybersecurity obligations.
Of course, cybersecurity is not just an issue for financial regulators. The Department of Homeland Security (DHS) issued a "Notification of ratification of security directives,"?amending and extending cybersecurity measures for critical rail entities. Most notably, the directives require "performance-based cybersecurity measures" to prevent disruption of critical rail infrastructure and to implement measures for "critical cyber systems" (any Operational Technology (OT) and Information Technology (IT) system or data whose compromise could result in operational disruption) such as network segmentation controls between OT and IT systems; access controls; continuous monitoring, detection, and correction; and timely update and patch management for operating systems, applications, drivers, and firmware.
The Department of Defense is?proposing revisions?to the eligibility criteria for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program, intended to broaden the community of defense contractors who can benefit from cyber incident reporting information sharing.
And the Federal Energy Regulatory Commission is?revising its regulations?to provide incentives for utilities that invest in Advanced Cybersecurity Technology and participate in cybersecurity threat information-sharing programs.
Phew! So What?
Although the trend was apparent last October, it is now undeniable that cybersecurity governance and risk management are fundamental business requirements. This is underscored by recent and projected regulatory actions to strengthen cybersecurity controls. Yet, cyber threats are agnostic to whether a company is regulated. And while the focus is on?critical infrastructure sectors, the new and proposed rules will impact third-party partners, particularly if services include accessing nonpublic information or systems. If your company falls into this category, ensuring your cybersecurity measures are up to par is a good idea.
It's important to note that regulatory compliance is not the sole reason for enhancing your cybersecurity measures. Instead, the regulatory environment highlights challenges that most businesses will encounter soon. Therefore, business leaders must prioritize cybersecurity strategies to at least remain competitive. Cyber threats are an enterprise risk and require an enterprise response. A cybersecurity culture emphasizing cyber hygiene is essential for any business, regardless of size or revenue. And as further incentive, Accenture's?State of Cybersecurity Resilience 2023?finds that integrating cybersecurity with business goals improves revenue growth, market share, customer satisfaction, trust, and employee productivity.
Ok, what should I do?
If the message resonates, how would you assess your company's cybersecurity program? How confident are you that the company can be resilient in a cyber-attack or other threat? How might you rate yourself on the following checklist??
Businesses would be remiss to ignore the message. For those prioritizing cybersecurity governance and risk management practices, the competitive advantage is yours.