What's Shifting The Landscape within Cyber?

Recently I have had discussions with colleagues and others about the rapid pace of activity related to cybersecurity. I believe several vital changes are taking place that are shifting cybersecurity positively. The most prominent of these are cyber insurance, federal government investment in cyber, and new requirements from CISA and potentially the SEC. Additionally, several newsworthy cyber incidents have captured the general public's attention and made cyber security a reality for everyone. The current war in Ukraine and potential activities in cyberspace have led business leaders to take a more proactive approach to how their organizations are implementing cybersecurity protections. Senior leaders and boards are more aware of their responsibility for cybersecurity incidents, and the possible negative impacts incidents can have on a business.

Cyber Insurance

According to IBM, the cost of a data breach increased 10% from 2020 to 2021 to $4.24 million?https://www.ibm.com/downloads/cas/OJDVQGRY.?With the cost of a data breach growing and the pace of ransomware attacks on organizations of all sizes, companies have looked for a way to transfer some of the risk related to these events. Cyber insurance has been seen as a "Get out Jail Free" card for many organizations. Early on, insurance carriers were eager to enter this market and provide large sums for coverage without fully understanding the nature and impact of cyberattacks.

As insurers started to encounter the onslaught of claims from their clients, it was becoming increasingly clear that the rate of claim payouts was unsustainable. As a result, insurers began analyzing the data related to client claims and how attackers were gaining access to systems. With this trove of information now in hand, providers have started tightening the requirements associated with securing cyber insurance. Gone are the days of being able to secure cyber insurance and having lax controls or no real focus on security within an organization. Much like the effect insurance had on automobile safety, we now see this impact related to cybersecurity.

As they are associated with cyber insurance, Insurer questionnaires are becoming increasingly more detailed. Providers are setting a minimum as it relates to insurability. Customers are now being as to document whether they have a CISO, security policies, monitoring and logging, incident response plans, and multifactor authentication, to name a few. Without these in place, companies can expect even higher premiums or outright denial of coverage. This new expectation is reasonable because much of what insurers need clients to have in place from a security standpoint are table stakes. Some may see this as an undue burden placed on small and medium-sized businesses. Still, the reality is that implementing appropriate security within your business can determine whether your organization survives an attack. According to a recent Forbes article, sixty percent of all small businesses do not remain viable after a cyber incident?https://www.forbes.com/sites/theyec/2021/06/02/how-to-protect-your-small-business-from-cyber-threats/?sh=49e6ead656cd.

As insurance carriers look to relieve some of the burdens of paying more significant claims related to ransomware and other cyber-related business disruptions, they will continue increasing the security companies must have in place to secure multi-million dollar insurance contracts.

Federal Government Investment

In May of 2021, President Biden signed an executive order to improve the nation's cybersecurity. This order called for the strengthening and modernization of cybersecurity standards within the government, improving the software supply chain, and eliminating barriers between the government and the private sector. Over the past year, the federal government has allocated billions of dollars to cyber-related activities. These include the Infrastructure Investment and Jobs Act which had over 1billion dollars for cybersecurity.

It's long been understood that the future will indeed be digital, but the pandemic has undoubtedly accelerated the move of individuals, businesses, and government into this new paradigm. As part of the infrastructure bill passed by Congress last year, $2 billion was allotted for cybersecurity, which focused on energy, transportation, and state and local governments. These investments are positive for our nation as a whole. As everyday citizens are becoming more aware of the potential negative repercussions of cyberattacks, our nation's leaders have started to apply the focused attention and investment needed to address the issue.

The White recently committed $10.9 billion for civilian-related cybersecurity programs?https://www.securityweek.com/white-house-proposes-109-billion-budget-cybersecurity.?Naturally, it remains to be seen how all these financial resources will be spent. It is the federal government, after all. However, it is encouraging to see the government not merely talk about what must be done but finance it.

CISA and SEC regulations

Cybersecurity and Infrastructure Security Agency (CISA) and the Securities and Exchange Commission (SEC) are implementing new requirements related to the notification of cyber incidents. The recently passed bill is expanding the requirements for public and private entities. As part of the new law, organizations will be required to report specific cyber incidents to CISA within 72 hours and report ransomware payments within 24 hours. This regulation applies to critical infrastructure sectors, which include chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services, energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. Because the majority of critical infrastructure is owned by private industry, the impact of the regulation will have a broad impact.

Under the Act, covered entities that experience a “covered cyber incident” must report the incident to CISA no later than 72 hours after the entity “reasonably believes” that such an incident has occurred. The Act defines a “covered cyber incident” as one that is “substantial” and meets the “definition and criteria” to be set by the CISA Director in the forthcoming rulemaking process.??In addition, covered entities are also required to report any ransom payments made due to a ransomware attack to CISA no later than 24 hours after making the payment.?Entities are required to report ransom payments even if the underlying ransomware attack is not a covered cyber incident.”?If a covered entity experiences a covered incident and remits a ransom before the 72-hour deadline, it may submit a single report to satisfy both reporting requirements.?Covered entities that are required to report cyber incidents or ransom payments also will be required to preserve relevant data.?Although the Act specifies some of the content that reports should contain,?the CISA Director will further prescribe report contents through the rulemaking process.

The SEC is also proposing new requirements for publicly traded companies related to cyber incidents. The current rule is in the draft and comment period. If this rule becomes final, publicly traded companies could be required to document material cyber incidents as part of the company 8k filing with the SEC. The SEC states that it is taking this action "Due to the rising cost to companies and their investors from cybersecurity incidents." The SEC is proposing that a new item 106 of Regulation S-K be added that would require (1) provide updated disclosure in periodic reports about previously reported cybersecurity incidents; (2) describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation; and (3) require disclosure about the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

This proposed rule may require additional focus from company executives and boards to understand how organizations are integrating cyber risk into the broader business strategy. It has been said that cybersecurity is a business risk, not just an IT issue. This proposal could solidify this stance. Companies may have to shift resources regarding how they address cyber risk if they are required to provide this detail in their SEC filings. How companies are managing cyber risk may truly become a competitive advantage and a disadvantage if handled inappropriately.

Cyber insurance, federal government investment, and new CISA and SEC regulations are a few things in my view, that will potentially have a significant impact on cybersecurity in the future. While these things themselves will not solve all the issues we face in cybersecurity, they may certainly move us further in the right direction. I would encourage other cybersecurity professionals to gain the needed understanding of these areas so that we can help guide organizations through these challenges. Cybersecurity is no longer sitting in the backseat. We are being moved to the front passenger seat and asked to help navigate the new journey. We may occasionally be asked to grab the wheel and drive, so we must ensure we are ready to do so when called!