2021 has provided no shortage of security events and incidents. The increasing frequency and severity of supply chain and ransomware attacks have put pressure on governments and various regulators to act, which has created a lot of noise and uncertainty amongst organizations attempting to keep up with their cybersecurity regulatory compliance obligations.
Here is a recap of the regulatory highlights and guidance we’ve seen recently:
Synopsis of President Biden’s Cybersecurity Executive Order
On May 12, 2021, United States President Joe Biden signed the “Executive Order on Improving the Nation’s Cybersecurity (14028),” in attempt to bolster Federal Information System’s security. The Executive Order released by the Biden administration was less technically prescriptive as it laid out key policy initiatives and directives for various federal agencies to update contracts with new information sharing requirements (OMB) and updates to technical standards (NIST) that will likely create more lasting impacts.
NIST Fulfilling Executive Order Actions
As a part of Biden’s Executive Order, the National Institute of Standards and Technology (NIST) was one of multiple agencies tasked to enhance security of the software supply chain. The order outlined multiple target dates with objectives by which NIST and other federal agencies were required to meet. As of this writing, NIST has fulfilled the first two requirements by defining “critical software” and publishing guidance for security measures for critical software and minimum standards for testing of software source code. The next updates are required to be delivered by November 8, 2021, so be on the lookout for more NIST guidance as a result of the Executive Order.
White House Open Letter to Corporate Executives and Business Leaders
The Deputy National Security Adviser for Cyber and Emerging Technology for President Biden, Anne Neuberger, published an open letter to corporate executives and business leaders in a plea to assist the federal government in its efforts to combat ransomware. The letter references Biden’s Executive Order and cites a list of what she refers to as a small number of highly impactful steps ranging from system backups to regularly testing your incident response (IR) plans.
Department of Homeland Security (DHS)
On May 27, 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued a security directive on enhancing pipeline security. The directive outlined four primary actions: TSA-specified owners or operators must appoint a cybersecurity coordinator, review current practices, perform a cybersecurity assessment and report any gaps and remediation plans, and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
On July 20, 2021, TSA issued a second directive, requiring pipelines to implement specific mitigating measures against ransomware attacks. The specific details of that directive were issued on a need-to-know basis for operators.
Department of Defense (DoD)
In addition to the executive action being taken, the Department of Defense (DoD) has also been making noise in cybersecurity regulatory space with the introduction of the Cybersecurity Maturity Model Certification (CMMC). The objective and mandate of the CMMC is that DoD contractors obtain this third-party certification to ensure appropriate levels of cybersecurity practices and processes are in place to meet a “basic cyber hygiene” and to protect controlled unclassified information (CUI) residing on partner systems. Without the corresponding level of certification as defined by each DoD contract, organizations will not be able to compete for the contract.
Securities and Exchange Commission (SEC)
The Securities and Exchange Commission (SEC), who is charged with overseeing and regulating the securities markets and protecting investors, is becoming increasingly involved in cybersecurity. In June 2021, they settled with a real-estate settlement services company for violating disclosure controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. Additionally, they’ve begun an investigation into the SolarWinds compromise issuing questionnaires to companies the SEC believe have been compromised. While the SEC has historically required some inquiry into cybersecurity activities in the past as it relates to Sarbanes-Oxley (SOX) compliance, these recent events along with proposed rule changes around breach disclosure indicate that public companies may see another regulator more involved in their cybersecurity efforts.
New York Department of Financial Services (NYDFS)
The New York Department of Financial Services (NYDFS) made a name for itself in the cybersecurity regulatory space in 2017 when it issued 23 NYCRR Part 500, which established cybersecurity requirements for financial services companies that fall under New York State regulation. After their first enforcement action under that regulation last year, they have continued to push for increased security related to ransomware by publishing their Cyber Insurance Risk Framework in relation to 23 NYCRR Part 500, and an open letter in June on ransomware guidance in which they clarified requirements of reporting ransomware under 23 NYCRR § 500.17(a).
Key Takeaway – Increased Enforcement
As you can see from the above activities, industry regulators and the federal government have increased their focus and attention on cybersecurity regulatory compliance efforts. Each one of these activities from the various regulators have their own implications, but the primary takeaway is that regulators are trending towards increased enforcement of existing standards and updating existing standards that will further enable enforcement.
Because enforcement actions can vary by regulator, let’s have a look at a few of the recent examples from above:
- The SEC fined a company for violating the Securities Exchange Act, which has no specific relationship to cybersecurity. However, internal controls involving the disclosure of pertinent information related to a cybersecurity vulnerability to the organization’s shareholders failed, thereby violating this near century-old regulation. This is a more traditional example of regulatory enforcement as the company incurred a fine related to the infraction.
- The DoD introduced the CMMC which requires partners to demonstrate their compliance with various levels of cybersecurity standards depending upon DoD contracts. As we’ve covered in the past, the CMMC standards are comprised primarily of NIST 800 series controls that have been in existence for years. While there is no requirement to become certified, if you want to participate in defense contracts, it is a requirement. This enforcement is more nuanced as no fines will be levied due to non-compliance; organizations just won’t be able to compete for defense contracts.
- The Executive Order tasked various sub-agencies to begin fulfilling requests to increase the security of federal agencies and industrial control systems which has led to DHS issuing directives to perform specific mitigating procedures. The specificity of the enforcement actions of the DHS directives has not been widely publicized, but it has been reported that applicable organizations could incur fines starting around $7,000 and go up depending on the specific violation. Again, this enforcement specific for pipeline operators is more traditional in that a fine may be imposed due to non-compliance.
While the effectiveness of the increased enforcement will take time to evaluate, there is little doubt that enforcement is increasing. Given this increased attention and enforcement to cybersecurity compliance frameworks and standards, what are some key activities that will allow organizations to best respond and keep up with the inundation of updates from regulators?
- Follow YOUR industry and organization’s regulatory agency or agencies’ press releases closely:
Depending on your industry and status as a public or private company, you may have one or more regulatory agency. Most of these regulators release information frequently in news releases, including draft documents looking for industry input and feedback before releasing final versions. While there is often a grace period for final changes, being aware early allows you to plan and implement potential changes more quickly and cost effectively
- Speak with your auditor frequently:
If you have compliance obligations that require an independent attestation from an auditor, speak with them frequently to stay up to date on changing requirements or developing trends in enforcement as these can evolve over time. Because they are required by the regulating bodies to attest to your compliance and will perform your audit, they know what you must achieve to be compliant.
While this is certainly not an exhaustive list of steps, these two simple activities will keep you focused on the critical elements of your regulatory compliance from the groups that have the most impactful information. Having this updated information to continually feed your enterprise risk assessment will allow your organizational decision-makers to appropriately allocate resources to maintain that compliance and address regulatory changes as needed.