Preparing Your Organization for Upcoming Cybersecurity Deadlines

COMMENTARY

As our world becomes increasingly digitized, malicious actors have more opportunities to carry out attacks. Data breaches and ransomware are on the rise, and the urgency to fortify our digital defenses has never been greater. With one cyberattack occurring every 39 seconds, there's a critical and immediate need for enhanced cybersecurity measures.

Aside from causing financial and reputational harm, cyberattacks also carry the real possibility of negatively impacting our physical world. We saw this happen in 2021 when a ransomware attack shut down Colonial Pipeline, causing shortages of gasoline, jet fuel, and home heating oil across the East Coast, which subsequently led to consumer panic-buying and a spike in gas prices.

The threat landscape is expanding rapidly, and everything from companies' data to our country's critical infrastructure is at risk. Adding to the challenge, AI is enabling cybercriminals to execute more sophisticated attacks at a larger scale. Meanwhile, both federal and state regulators have introduced new rules and mandates aimed at holding organizations accountable when it comes to cybersecurity, and deadlines to comply are fast approaching.

Below, we'll explore two of these new requirements and how organizations can prepare for them.

Two New Upcoming Mandates to Be Aware Of

1. Smaller reporting companies must comply with the SEC's new breach disclosure rules. (Deadline: June 15)

Last December, the Securities and Exchange Commission (SEC) released cybersecurity disclosure requirements for public companies, which will also apply to smaller reporting companies, beginning on June 15. The SEC defines smaller reporting companies as those with "a public float of less than $250 million, as well as registrants with annual revenues of less than $100 million for the previous year and either no public float or a public float of less than $700 million."

Smaller reporting companies will be required to disclose "any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant."

It's important to note that the onus is on the organization that was breached to define and determine materiality. However, a quick look through the EDGAR database shows fewer reports of material breaches than one would expect, given the prevalence of cyberattacks. Are companies being disingenuous in how they define materiality in an attempt to avoid the decrease in shareholder confidence and the reputational hit associated with reporting a breach? In order for this rule to serve its intended purpose, companies need to create clearly defined processes for assessing the impact of cyberattacks, including indisputable parameters for what classifies as a material incident 

This new requirement is an important step for smaller reporting companies to maintain trust with consumers and stakeholders, but it goes even further than that. Smaller companies play a crucial role in the supply chain for larger companies, meaning an attack on a smaller organization could have a significant impact on a larger organization down the line, potentially resulting in harmful, far-reaching consequences.

Take weapons systems, for example: A few major defense industrial base (DIB) companies might be involved in creating a weapon system that provides a critical capability for the military. But drilling down a few levels, one of the parts necessary for the system to function might be manufactured by a smaller company. What happens if it is hacked?

Additionally, from a purely IT standpoint, there have been many instances where larger companies have been accessed via their connection to a smaller organization. A prime example of this is the data breach of Court Ventures, a subsidiary of Experian, which led to the exposure of 200 million personal records.

2. Federal agencies must meet zero-trust goals. (Deadline: Sept. 30)

In 2022, the United States Office of Management and Budget (OMB) released a memorandum instructing federal agencies to start implementing a zero-trust framework to secure their data and information systems. By Sept. 30 of this year, agencies are required to have completed 19 specific tasks aligned with the five pillars (Identity, Devices, Networks, Applications and Workloads, and Data) of the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model.

One of the requirements in the memorandum states that "agencies must operate dedicated application security testing programs" and "utilize high-quality firms specializing in application security for independent third-party evaluation," highlighting the importance of application programming interface (API) security. APIs are integral to applications, allowing them to communicate with one another and exchange data. But they're also a prime attack vector: One report found that a staggering 78% of cybersecurity professionals have experienced an API security incident in the past 12 months.

Government agencies need to take a hard look at API security. This will require the adoption of tools that provide a bird's-eye view of everything happening within the organization's network, including data flows, API movement, and which data APIs are exposing. In many cases, organizations aren't even aware of how many APIs they have and which types of data are traversing them. Having this visibility will empower federal agencies to quickly identify anomalous behavior and flag malicious actors.

These new requirements are a step in the right direction, but to be truly effective, a larger shift in philosophy regarding security must occur. Too often, organizations view security as a cost rather than an investment. But as the world becomes more digitized and the threat landscape expands, organizations must adequately fund security or they risk undermining the very innovations intended to fuel growth and profitability.

Finally, any future regulations must be administered fairly and consistently with strong enforcement. This will involve striking the right balance of both incentives and penalties to ensure compliance. While it's encouraging to see more cybersecurity regulations emerge, thwarting attacks will be an ongoing battle and more federal regulation plus continued cybersecurity investment is necessary.