New cybersecurity regulations are coming. Here's how to prepare.

Network security has reached a tipping point. For decades, private sector organisations have been more or less left to deal with cyber incidents on their own, and the scale and impact of cyber attacks mean that the consequences of these incidents can ripple across societies and borders. Now the government feels the need to “do something” and many are considering new laws and regulations. Yet lawmakers often struggle to regulate technology—they deal with political urgency, and most don’t have a firm grasp on the technology they want to control. Consequences, implications and uncertainties for the company are often not realized until after the fact. In the U.S., a whole new set of regulations and enforcement is on the way: the Federal Trade Commission, the Food and Drug Administration, the Department of Transportation, the Department of Energy, and the Cybersecurity and Infrastructure Security Agency are all working on new rules. Additionally, in 2021 alone, 36 states have enacted new cybersecurity legislation. Globally, there are many initiatives such as data localization requirements in China and Russia, CERT-In incident reporting requirements in India, and GDPR and its incident reporting in the European Union. However, companies do not need to just wait for the rules to be written and then implemented. Instead, they now need to work to understand the types of regulations currently under consideration, identify uncertainties and potential impacts, and prepare to act.

Things We Don’t Know About Cyber ​​Attacks To date, cybersecurity-related regulations in most countries have focused on privacy rather than cybersecurity, so most cybersecurity attacks do not need to be reported. If private information is stolen, such as names and credit card numbers, it must be reported to the appropriate authorities. But when Colonial Pipeline, for example, suffered a ransomware attack that caused it to shut down the pipeline that fuels nearly 50 percent of the U.S. East Coast, it didn’t need to report because no personal information was stolen. (Of course, it’s hard to keep a secret if thousands of gas stations don’t have access to gas.) So it’s nearly impossible to know exactly how many cyberattacks there are, and what form they take. Some believe that only 25% of cybersecurity incidents are reported, others say only about 18%, and others say only 10% or less. The truth is that we don’t know what we don’t know. This is a dire situation. As management guru Peter Drucker famously said: “If you can’t measure it, you can’t manage it.”

What needs to be reported, by whom, and when? Governments consider this approach untenable. For example, in the United States, the White House, Congress, the Securities and Exchange Commission (SEC), and many other agencies and local governments are considering, implementing or beginning to enforce new rules requiring companies to report cyber incidents—especially in energy, healthcare, communications, and financial services and other critical infrastructure industries. Under these new rules, Colonial Pipeline will be required to report ransomware attacks. In part, these requirements were inspired by reports of “near-miss” or “near-miss” recommendations for aircraft: when the aircraft was close to crashing, they were required to submit a report so that the malfunction that caused such an event could be made in the future be recognized and avoided. On the surface, similar requirements for cybersecurity seem very reasonable. The problem is that what should count as a cybersecurity “incident” is nowhere near as close as a “near miss” between two planes than is allowed.A cyber “incident” is something that can lead to a cyber intrusion, but doesn’t have to be an actual cyber intrusion: according to one official definition, it only needs to “immediately compromise” a system or present an “imminent threat of action” to break the law. However , which leaves companies navigating a lot of grey areas. For example, if someone tries to log into your system, but gets rejected because of a wrong password. Is this an “imminent threat”? What about phishing emails? Or someone searching your system Known common vulnerabilities, such as log4j vulnerabilities? What if an attacker actually got into your system, but was caught and expelled before doing any harm? This ambiguity requires companies and regulators to obtain Balance. All companies are safer when there is more information about what attackers are trying to do, but this requires companies to report meaningful incidents in a timely manner. For example, based on data collected from current incident reports, we know that in countries Of the nearly 200,000 known vulnerabilities in the Vulnerability Database (NVD), only 288 are actively exploited in ransomware attacks. Knowing this allows companies to prioritize addressing these vulnerabilities. On the other hand, using an overly broad The definition can mean that a typical large company may need to report thousands of incidents per day, even if the majority is spam that is ignored or rejected. This is a huge problem for companies as well as institutions that need to process and understand from a large number of reports International companies also need to be aware of the different reporting standards in the EU, Australia and elsewhere, including how quickly reports must be submitted – whether it’s 6 hours in India, 72 hours in the EU under GDPR, Still in Europe 4 business days US and there are usually a lot of changes per country as there are tons of regulations from different agencies.

What the company can do now

Make sure you The procedures for complying with the mandate.

SEC-regulated companies (including most large corporations in the U.S.) need to be quickly defined under these new regulations Materiality and review their current policies and procedures to determine if Materiality applies. They may need to revise them to simplify their operations – especially if these decisions must be made frequently and quickly.

Keep ransomware policy up to date.

Regulations are also being developed in areas such as reporting ransomware attacks and even criminalizing the payment of ransoms. Company policies regarding payment of ransomware need to be reviewed, as well as possible changes to cyber insurance policies.

Prepare the required “software billing materials” for better Review your digital supply chain .

Many companies are unaware that log4j vulnerabilities exist in their systems because the software is often bundled with other software that is bundled with other software. Regulations have been proposed that require companies to maintain a detailed and up-to-date software bill of materials (SBOM) so that they can quickly and accurately understand all the different software embedded in their complex computer systems. Although SBOM can also be used for other purposes, it may require significant changes to the way your company develops and acquires software. Management needs to review the impact of these changes.

What else should you do?

Someone in the company, or possibly a team, should review these new or proposed regulations and assess how they will affect you impact on the organization. These are rarely just technical details left to your information technology or cybersecurity team—they have implications across the company and can change many policies and procedures across the organization. If most of these new regulations are still malleable, your organization may want to positively influence where these regulations are going and how they are implemented and enforced. Acknowledgements: This research was partially funded by members of the MIT Sloan (CAMS) Cybersecurity Alliance.