Forecast: Regulatory Priorities for Cybersecurity

At the midpoint of 2022, ADCG has pulled together a summary of the regulatory efforts by federal regulators with regards to data privacy and cybersecurity.

In January of 2022, the Securities and Exchange Commission (SEC) gave a keynote address at the 2022 Securities Regulation Institute and identified the following areas of consideration for new or revised SEC regulatory efforts:

1. Cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers;

2. Cybersecurity event reporting requirements for public companies;

3. Cybersecurity risk management disclosure requirements for public companies;

4. Strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems;

5. Data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and;

6. Disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

In February, pursuant to effort one, the SEC proposed a new cybersecurity rule applying to registered investment advisers (advisers), investment companies, and business development companies (funds).

This proposed regulation governed written cybersecurity policies and procedures, public incident disclosures, and recordkeeping requirements. In March, the SEC proposed a similar rule to govern public companies, as required for effort number two.

In April, the Chair of the SEC, Gary Ensler, made remarks before the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council, stating that he had taken action to satisfy all of the regulatory efforts announced in February, except for items five and six. Then in May, the SEC announced that in addition to the previously discussed regulatory efforts, the SEC would be increasing the number of dedicated enforcement positions in its Crypto Assets and Cyber Unit from 30 to 50.

Going forward, here are the regulatory efforts that we are expecting to see in the remaining months of 2022:

According to the House Appropriations Committee draft fiscal year 2023 Homeland Security spending bill, the Cybersecurity & Infrastructure Security Agency (CISA) will receive an almost $3 billion budget in fiscal year 2023, which is a 13 percent increase from last year’s budget. This will empower the agency to further their cybersecurity efforts across the board, which includes the implementation of mandatory incident reporting legislation.

Although the agency previously stated that it would require at least two years of rulemaking to determine the parameters of the requirement, Brandon Wales has said the agency is “going to try to move a little bit more quickly than that[.]”

Jim Langevin (D-RI), who chairs the Subcommittee on Cyber, Innovative Technologies, and Information Systems—and has served on the Cyberspace Solarium Commission—is pushing to “amend the annual defense policy legislation to include cyber protections for the nation’s most vital critical infrastructure.” If amended, the bill would “boost defenses for ‘systemically important critical infrastructure (SICI).’” Specifically, the amendments would enhance reporting requirements and practices deployed in dealing with these SICIs.

In addition, the Justice Department recently set a goal of “enhancing its efforts to combat ransomware attacks by: (1) increasing the percentage of reported ransomware incidents from which cases are opened, added to existing cases, or resolved or investigative actions are conducted within 72 hours to 65 percent; and (2) increasing the number of ransomware matters in which seizures or forfeitures are occurring by 10%” by September 30, 2023.

* * * * * * *

For ADCG’s Breach Report and more news updates discussing: Consumer Financial Protection Bureau issuing new regulations around how companies can use and share credit and background reports; China’s biggest data leak in the nation’s history; and which U.S. agencies are considering AI regulations, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Keith Cheresko, Principal of Privacy Associates International LLC, joins Jody Westby on our Privacy and Cybersecurity podcast this week to discuss the burden placed on many companies due to the increase in contractual obligations associated with privacy laws and regulations. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!