On December 15, 2023, the U.S. Securities and Exchange Commission (SEC) expanded its cybersecurity rules - Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public companies), which requires listed companies to disclose events within four business days. This means that a high-profile cybersecurity breach will have greater consequences than any data breach. And the SEC's rules are just the tip of the iceberg of regulatory changes in U.S. cybersecurity compliance.
The U.S. federal ** is quietly leading change in the economic sphere – demanding all16 critical infrastructure sectorsStrict adherence to cybersecurity regulations. However, the matter has not been hyped and has largely gone unnoticed by **, institutional investors, or anyone else.
Additional Information:16 critical infrastructure sectors identified by the United StatesThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed:Sixteen such sectors are considered critical to safety, including: chemical industry, commercial facilities, communications, critical manufacturing sector, dam sector, defense industrial base sector, emergency services sector, energy sector, financial services sector, food and agriculture sector, ** facilities sector, healthcare and public health sector, information technology sector, nuclear reactors, materials and waste sector, transportation systems sector, water and wastewater treatment sector, etc
These industries include well-known and highly hierarchical markets, such as those regulated by the U.S. Department of Defense (DOD), the Securities and Exchange Commission (SEC), and the Department of Energy (DOE), respectivelydefense industry, financial services, and energy。However, the sub-sectors below these 16 sectors, which basically cover almost all companies in economic activity and their business components, are often overlooked, and the federal government is introducing new cybersecurity compliance regulations at an increasing rate, putting almost every type of business under its regulatory purview. Taking "commercial facilities" as an example, it includes eight sub-sectors, including real estate, retail, sports leagues, and entertainment venues. Cybersecurity regulations and mandatory minimum cybersecurity requirements have nowhere to hide
Cybersecurity requirements pervade all industries
While some argue that the U.S. has expanded its power and overstepped its role for cybersecurity, it's clear why these regulations came so quickly – the U.S. sees Russia and China as a huge cyber threat to it.
With the signing of the White House in May 2022Executive Order to Improve National Cybersecurity(executive order on improving the nation's cybersecurity), the cybersecurity revolution is heating up and unfolding in the form of a movement that transcends borders. More than a dozen countries have taken joint action with the United States on cybersecurity issues, reflecting the convergence of ideas and willingness to follow in the footsteps of the United States.
Extended Material: Joint U.S. and Allies on CybersecurityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with 17 U.S. agencies and their international partners, has released an updated version of Changing the Balance of Cybersecurity Risk: Principles and Approaches to Security by Designing Software, which includes further details on key principles and guidance, and is co-signed by eight additional international cybersecurity agencies.
Signatory countries and institutions include:CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), as well as Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand, the Czech Republic, Israel, Singapore, South Korea, Norway, the OAS Cicte Csirtamericas Network, the Japanese Cybersecurity Agency, etc.
Executive order from the White HouseMandatory benchmark standards are required for all federal contractorsto replace the currently inconsistent and patchwork agency-specific policies. Departments and agencies are not waiting for that day to come, and they are frantically issuing their own regulatory requirements.
U.S. Department of Defense contractors have adopted the Defense Federal Acquisition Regulation Supplement (DFRS) and the forthcoming Cybersecurity Maturity Model Certification (CMMC)20 plans to require this. Within a few years, contractors outside of defense work may also be required to meet mandatory minimum cybersecurity requirements as a precondition to obtaining any federal contract.
We've seen:
The U.S. Transportation Security Administration (TSA) has issued new requirements for airport and aircraft operators;
The U.S. Department of Homeland Security (DHS) enacted a bill to protect "controlled non-classified information" (CUI);
The U.S. Environmental Protection Agency (EPA) aims to protect the water sector
and the Critical Infrastructure Cyber Incident Reporting Act of 2022 (CIRCIA).
The U.S. is moving toward an emerging paradigm of cybersecurity compliance, and the ripple effects are resonating in the legal corridor as fraudulent cybersecurity claims come under judicial scrutiny. Proper security controls will no longer be an "option" but a legal and economic "must", signaling a new era of digital resilience and strengthening the economic structure.
The U.S. is pulling all the regulatory levers:Establish standards, prosecute, and encourage whistleblowing ......
The United States** is using all available regulatory leversDevelop and enforce mandatory minimum standards for cybersecurity across the economy, just like seat belts, airbags, and other safety features must be installed in a car.
This potential regulatory expansion is not confined to U.S. borders – Canada recently adopted the U.S. Cybersecurity Maturity Model (CMMC) as its defense industrial base, and Japan will also require contractors to meet U.S. cybersecurity regulations.
The pressure to meet mandatory cybersecurity minimum standards isn't just about winning a U.S. federal** contract. The U.S. Department of Justice is aggressively using the False Claims Act (FCA) to track down cybersecurity-related fraud by contractors. As whistleblowing employees stepped forward to claim huge rewards, related cases began to pile up.
In October 2022, Penn State was sued by a former chief information officer (CIO) for failing to protect "controlled non-classified information" (CUI) and knowingly filing false security compliance reports. The case is still pending, but there is a precedent for the outcome — in July last year, Aerojet Rocketdyne agreed to pay $9 million to settle a similar case. In 2022, defendants paid more than $2.2 billion in fines or settlements in False Claims Act settlements and judgments, of which more than $1.7 billion were related to the healthcare industry.
Extended Material: Pennsylvania State University Case, USAIn October 2021, the U.S. Department of Justice (DOJ) launched the Civil Cyber Fraud ProgramUse the False Claims Act (FCA) to enforce cybersecurity standards required by U.S. federal contractors and grant recipients。Importantly, the FCA includes a whistleblower clause that allows private groups to identify fraud and share compensation. The Penn State investigation is one of the outcomes of the U.S. Department of Justice's implementation of the program in 2022.
According to the U.S. Department of Justice, the program targets those who violate intent by providing defective cybersecurity products or services, misrepresenting cybersecurity practices or protocols, and violating the obligation to monitor and report cybersecurity incidents and breaches. Among them,Controlled Non-Confidential Information (CUI) compliance is a priority area for enforcement
In accordance with Section 252 of the Defense Federal Acquisition Regulation Supplement (DFARS).204-7012 requires DoD contractors to provide "adequate security" to protect CUI, which includes, at a minimum, the implementation of the security controls set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. And Penn State's former CIO claimed that the university prepared a deliberately inaccurate basic assessment to downplay the impact of the university's internal findings into alleged CUI violations, which were then submitted to the Department of Defense to maintain eligibility for the contract award.
To further strengthen its resolve to enforce these regulations, the U.S.** has begun prosecuting individual companies and employees for misleading and defrauding investors about cyber breaches, as it did with Solarwinds and its former vice president of security, Tim Brown.
Every sector of the U.S. economy is facing a transformative mandate to strengthen digital defenses. Security posture has evolved from a superlative factor to a critical factor that affects the bottom line. This is not only a change in policy, but also a paradigm shift, so thatCybersecurity compliance becomes a legal necessity and a priority because its impact is more far-reaching than ever.
Author:Eric NoonanHe has served in the U.S. Intelligence Agency and is currently the CEO of CyberSheath, a U.S. cybersecurity company.
DisclaimerThe information required for the writing of this article is collected from legal and public sources, and we cannot provide any form of guarantee as to the authenticity, completeness and accuracy of the information. This article is for the purpose of sharing and exchanging information, and does not constitute a basis for decision-making of any enterprise, organization or individual.