Last Updated on 05/12/2023 by Dolly
The scale of cyberattacks and their impact mean that the effects of these incidents can spread across societies and borders at a time when cybersecurity systems have reached a tipping point and after years of letting private sector organizations deal with cyber incidents on their own.
Governments now feel pressure to “do something,” and many are considering enacting new rules and laws. However, lawmakers frequently struggle to control technology because they do so out of political necessity, and most do not have a firm understanding of the technology at issue. The effects, impacts, and uncertainties on businesses are frequently not realized until after the fact.
The Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all developing new rules that will be enforced in the United States. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation. Globally, there are numerous initiatives, including the GDPR and its incident reporting requirements in the EU, the data localization requirements in China and Russia, the CERT-In incident reporting requirements in India, and others.
However, businesses do not have to wait impatiently for the rules to be developed and put into effect. Instead, they should be working right away to comprehend the types of regulations that are currently under consideration, identify the uncertainties and potential effects, and get ready to take action.
Observations for Companies and Organizations
Make certain your processes are effective
SEC-regulated firms, which include many of the leading US businesses, urgently need to clarify the concept of ‘materiality’ in light of recent regulations. They need to assess and review their existing policies and procedures to determine the validity of ‘materiality’. Quick and frequent decisions require streamlined operations for compliance.
Keep your ransomware policies up to date
Across the board, regulations are being made, including those relating to reporting ransomware attacks and, in particular, the criminalization of paying for ransomware. The operation of cybersecurity insurance policies may need to change, and company policies on ransomware payments need to be reviewed.
Prepare for the “Software Bill of Materials” to examine your supply chain in more detail.
Many companies did not know they had a vulnerability called log4j that came packaged with other software. A Software Bill of Materials (SBOM) is a detailed and up-to-date list that quickly and accurately shows all the different pieces of software embedded in complex computer systems, and it is recommended that companies actively use this list.
Even though SBOM might be useful for other things, it might necessitate major changes in how your business creates and acquires software. Management needs to assess how these changes will affect the organization.
What else for now?
These regulations must frequently be reviewed by a group or an individual on an ongoing basis, and their impact will be determined. In general, the information technology and cybersecurity team focuses on technical aspects. They do, however, have a company-wide impact, and normal business must adapt once more. Your company should stay up to date on new regulations and may want to actively incorporate them.
