Do cybercrime statistics ever shock you anymore?
The stats from emerging cyber threats are truly mind-boggling: cybercrime is up 30% in Q2 2024 (year to year), just under 90% of US businesses reported suffering a cyberattack in the last year, and global damage estimates are up to $10.5 trillion by 2025.
Consider this, from Cybercrime Magazine: the growth in cybercrime from 2015 to 2025 will be the greatest transfer of financial wealth in history, and be greater than the global total for natural disaster damage over a year. It will generate more profit for the criminals than the global trade of all illegal drugs combined.
It should be no surprise that governments across the world are desperate to act.
Ransomware, which has drawn increasing focus as it has paralyzed health care institutions worldwide, has been a particular focus for law enforcement. But despite real victories (like the breakup of LockBit and outing of its notorious leader), there are still regular reports like the one I read on Forbes last week, that a Fortune 50 company paid out a $75 million ransom earlier this year.
And we don’t even know who it is.
Earlier we looked at EU regulations and their clash with big tech. In this article we take on government cybersecurity regulations for 2024, the impact recent Supreme Court rulings will have, and what companies must do to navigate such waters.
The Current Regulatory Landscape
It’s hard to see the full scope of the problem with so many unreported attacks, making it unsurprising that recent cybersecurity law changes emphasize reporting.
Of course, it’s easy to understand why companies don’t always report in a timely fashion—they risk further attack via vulnerabilities they may not yet fully understand, suffer damage to their reputation, and risk exposure to litigation and government rebuke.
The Cybersecurity and Infrastructure Security Agency (CISA) dates back to 2018 (taking over from an office in the Department of Homeland Security) and has continued ramping up since its creation. It issues directives to steer other government agencies, oversees detection, and handles incident response.
CISA was key in drafting the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), from 2022. CIRCIA mandates reporting, and for CISA CIRCIA compliance, critical infrastructure entities (or their lawyers, insurance providers, or cybersecurity specialists) must report incidents to CISA within 72 hours, and all ransomware payments within 24 hours.
[CISA is also involved in AI regulation. For more information, see my article on Substack.]
Other Federal Regulations
The Securities and Exchange Commission (SEC), by origin, does not include cybersecurity. But that hasn’t stopped it from enacting rules in 2023 on risk management and incident disclosure. The SEC cybersecurity rules require public companies to disclose cybersecurity incidents within four business days, including the nature, scope, timing, and impact.
It also requires annual disclosures about cybersecurity risk management, detailing their strategy and oversight.
The Federal Trade Commission (FTC)’s Safeguards Rule dates back to 2003, but has been updated to include cybersecurity. It applies to nonbanking financial organizations—or businesses that take, store, or handle customer information (“personally identifiable information” or PII).
This requires encryption and multifactor authentication, companies to designate a single point of contact, conduct risk assessments, provide proof of monitoring and testing of defenses, training, incident response plans, and more.
It also adds new notification requirements, contacting the FTC ASAP (and no later than 30 days) for breaches that impact more than 500 customers.
Here again, we see the focus is clear: forcing companies to report incidents and detail their cybersecurity protections.
State-Level Regulations
Of course, it doesn’t end there.
47 states and the District of Columbia have enacted their own cybersecurity laws, covering things like cybersecurity posture, breach notification, and data protection.
California’s are among the most stringent, with the California Consumer Privacy Act (CCPA) from 2023 (inspired by the EU’s GDPA, joining additional regulations requiring detailed notifications.
Sector-Specific Regulations
In healthcare, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) requires reporting on breaches involving Protected Health Information (PHI), and Health Insurance Portability and Accountability Act (HIPAA) provides data protection laws for cloud providers, including additional cybersecurity regulation.
The Gramm-Leach-Bliley Act (GLBA, enforced by the FTC) has recently expanded data privacy regulations to cybersecurity reporting for financial organizations, and the Transportation Security Administration (TSA) issued emergency amendments for passenger and freight railroad carriers, airports and aircraft businesses, which, like the FTC data security guidelines, require a point of contact, continuous monitoring and testing, incident response plans, and cyber resilience regulations to ensure continued operation.
Here again we see the extent of this patchwork of regulations, depending on location and sector.
The Shifting Ground
Further complicating the issue for businesses, regulations that that are not law, passed by Congress and signed by the President, will likely be far more variable in the upcoming years.
Recent Supreme Court rulings, such as the Loper Bright Decision, introduce additional complexity in this area. Loper Bright overturned the so-called Chevron deference, which ceded power to government agencies to interpret ambiguous statutes.
This power is now back in the courts, and as a result, cybersecurity regulations may be more regularly reinterpreted, and I expect they will.
For companies, this means more change. This could include CISA interpretation of CIRCIA, and proposed FTC changes to online protection for children and rules around health breaches, as well as things like the SEC’s right to regulate here, and the GLBA and TSA regulations, among others.
Cybersecurity Risk Management Strategies
This is by no means an exhaustive look at regulations, when you consider the CFAA, FISMA, the ECPA, COPPA, and more.
But at issue is this: facing such a varied tapestry, how can companies stay on top of cybersecurity compliance challenges?
Budget, scale, and sector are key, of course, but overall, this is my advice:
- Designate your point of contact: Many regulations require a point of contact for cybersecurity issues, and of course it makes sense to have someone trusted within your organization to be the point of this spear.
- Understand current obligations: Begin by getting a comprehensive picture of what requirements you have now for cybersecurity protection, reporting, and crisis management. Given the wide spread of institutions and varied levels of coverage, this is not easy, but it is absolutely essential.
- Perform your own risk assessment: Assemble a cross-functional team if possible, to help compare current readiness matches to not only the required, but the likely trajectory. Do you have gaps that need addressing? Adequate legal counsel, demonstrable plans, and reporting?
- Monitor and test and be ready to demonstrate how: Many regulations require proof of consistent monitoring, so that companies are aware when events happen, and will not be late to learn of attacks. Consider automated testing innovations where possible and affordable.
- Have a tried and tested incident response plan: Also a common regulatory requirement, it’s just good sense to have rapid response capabilities in place, both to limit the fallout from cyber incidents and to help sustain business continuity.
- Invest in training: I repeat this over and over, but it’s relevant here as well—your best defense against cybercrime is a trained workforce. It’s also mandated by some regulations, and can be included in your readiness plans.
- Stay informed: Once you’re ready, expect change. As discussed, legal challenges in the US landscape are going to trigger changes in requirements and coverage, and this will require regulatory monitoring, just like your cybersecurity itself.
[Another method to stay informed is to read The PTP Report, which includes regular cybersecurity roundups and coverage of current events.]
For additional guidance on cybersecurity readiness, you can also look to my Substack, where I cover topics from essential strategies for business owners, to protecting a remote workforce.
Conclusion
You don’t need me to tell you the cybercrime trends for 2024 are not good, and that we expect attacks to only escalate over the near term.
But alongside this, I expect governments to escalate, too: putting more pressure on companies to shore up their cyber defenses.
Compliance and cybersecurity are two very different fields, but this escalation means increased attention for both. And with recent court rulings shifting where ambiguity is clarified, businesses would be prudent to expect regulatory challenges to continue to play out in the courts.
As always, the best approach is to be proactive, not only by staying informed, but also, where budget permits, by building out smart cyber defense protocols that are also compliance ready.
References
Global law enforcement takes down ransomware group that targeted U.S. hospitals and schools, NBC News
Cybersecurity Alerts & Advisories, CISA
Cyber Incident Reporting for Critical Infrastructure Act of 2022 – Notice of Proposed Rulemaking Informational Overview, CISA
SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, U.S. Securities and Exchange Commission
Supreme Court Ruling Threatens the Framework of Cybersecurity Regulation, Security Week
The Loper Bright Decision: How it Impacts Cybersecurity Law, The Hacker News
