menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose

Navigating the terrain of cybersecurity regulations

Timothy Tipton
Cybersecurity Watch
| 10/9/2023
Navigating the terrain of cybersecurity regulations

October is Cybersecurity Awareness Month, sponsored by the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance. In this article, a Crowe cybersecurity professional reviews the regulatory landscape and offers insight on how organizations can stay informed on evolving cybersecurity regulations and frameworks.

Cybersecurity regulations can be challenging to negotiate, but staying up to date helps organizations stay ahead of threats.

Cyberthreats constantly evolve, so the rules of the game must respond. The digital realm’s guardians, from the National Institute of Standards and Technology (NIST) to the Securities and Exchange Commission (SEC), are recalibrating their guidance, introducing new and updated regulations that redefine cybersecurity standards. Given the importance of aligning with cybersecurity regulations and implementing a solid cybersecurity framework to protect data and networks, organizations need to stay abreast of regulatory developments.

What do new and updated cybersecurity regulations mean for organizations, and how might they reshape the cybersecurity landscape? Following is a breakdown of significant updates and suggested best practices for organizations to get and remain compliant while strengthening their cyber resilience.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.
Subscribe now

NIST Cybersecurity Framework updates

NIST has long been a beacon for organizations navigating the murky waters of cybersecurity, and the NIST Cybersecurity Framework (CSF) has been a foundational guide since its inception. But as with all things in the tech world, evolution is inevitable.

Historical context and key updates

The world’s leading cybersecurity guidance, the NIST CSF, is undergoing its most comprehensive revision since its debut nearly a decade ago. This revamp comes after extensive community feedback spanning over a year, ensuring that the framework remains in tune with the needs of its vast user base. The proposed NIST CSF 2.0 includes the following updates:

  • Broadened scope. Originally designed to protect critical infrastructures like hospitals and power plants, the CSF’s scope has now explicitly expanded. Its goal is to provide cybersecurity guidance for all organizations, irrespective of size or type. This shift is evident in the official title change from “Framework for Improving Critical Infrastructure Cybersecurity” to the more inclusive “Cybersecurity Framework.”
  • Introduction of a governance function. In addition to the five main pillars of a successful cybersecurity program (identify, protect, detect, respond, and recover), CSF 2.0 has introduced a sixth pillar: the “govern function.” The govern function underscores that cybersecurity is not just a technical challenge. It’s also a significant enterprise risk. It necessitates strategic decisions and considerations at the senior leadership level.
  • Enhanced implementation guidance. The proposed CSF 2.0 provides more detailed guidance on implementing the CSF, especially when creating profiles tailored for specific situations. Recognizing the diverse needs of the cybersecurity community, it now includes implementation examples for each function’s subcategories, aiding organizations, especially smaller ones, in effectively using the framework.
  • Integration with other frameworks. A notable goal of CSF 2.0 is to elucidate how organizations can integrate other technology frameworks, standards, and guidelines with the CSF. The launch of the CSF 2.0 reference tool is a testament to this effort. This online tool allows users to browse, search, and export the CSF core data in both human- and machine-readable formats.

Implications and best practices

The NIST CSF’s evolution reflects the changing cybersecurity landscape. With threats becoming more sophisticated, the framework’s expansion and the inclusion of governance as a core function highlight the need for a holistic approach to cybersecurity. Organizations should:

  • Regularly review and update their cybersecurity strategies in line with CSF guidelines
  • Engage senior leadership in cybersecurity discussions, emphasizing its impact on overall enterprise risk
  • Use the CSF 2.0 reference tool to integrate the CSF with other technology frameworks and standards

By broadening the scope and enhancing implementation guidance, the CSF is a more pragmatic framework for all organizations to use for assessing capabilities and maturing their cybersecurity programs.

SEC cybersecurity updates

The Securities and Exchange Commission works to ensure that publicly traded companies maintain transparency and protect their investors. Recognizing the increasing significance of cybersecurity in the financial landscape, the SEC has made substantial updates to its cybersecurity regulations, particularly concerning the disclosure of material incidents.

Historical context and key updates

The digital age has brought forth myriad challenges for public companies, and cybersecurity threats are at the forefront. Because of the potential impact of security events on investors and the broader market, the SEC has been progressively refining its stance on cybersecurity disclosures.

  • Disclosure of material cybersecurity incidents. On July 26, 2023, the SEC adopted rules that mandate registrants disclose material cybersecurity incidents they encounter. The goal of this requirement is to keep investors promptly informed about significant security events that could affect a company’s financial health or reputation.
  • SEC cybersecurity disclosure requirements. Companies are required to disclose any cybersecurity incident deemed material using the new Item 1.05 of Form 8-K. This disclosure should encompass the material aspects of the incident’s nature, scope, and timing. Additionally, companies must detail the incident’s material impact or any reasonably anticipated material impact on the registrant.
  • Disclosure timeframe. An Item 1.05 Form 8-K is generally due four business days after a company determines that a cybersecurity incident is material. However, there’s a provision that allows for a delay in disclosure if the U.S. attorney general determines that immediate disclosure could significantly risk national security or public safety.
  • Annual reporting. Beyond incident-specific disclosures, companies are now required to provide annual insights into their cybersecurity risk management, strategy, and governance. Such reporting provides investors with a holistic view of a company’s cybersecurity posture and its preparedness to tackle threats.
  • Annual risk management, strategy, and governance disclosures. The new rules have introduced Regulation S-K Item 106, which requires companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. It also mandates that companies detail the material effects or potential material effects of risks from cybersecurity threats and previous incidents. This cybersecurity regulation emphasizes the role of the board of directors in overseeing risks and the expertise of management in handling such risks.

Implications and best practices

The SEC’s enhanced focus on cybersecurity disclosures underscores the importance of transparency in today’s interconnected financial ecosystem. Companies should:

  • Establish robust internal processes to quickly identify and assess the materiality of cybersecurity incidents
  • Issue timely and comprehensive disclosures in line with the SEC’s guidelines
  • Engage in regular cybersecurity risk assessments and update investors on the company’s risk management strategies and governance structures

NYCRR Part 500 cybersecurity updates

The New York Department of Financial Services (NYDFS) has been at the forefront of cybersecurity regulation in the financial sector. In 2023, NYDFS introduced significant updates to its cybersecurity regulations. Following is a detailed breakdown of the NYDFS’ New York Codes, Rules and Regulations (NYCRR) 2023 cybersecurity updates.

Introduction to the 2023 proposal

  • On June 28, 2023, NYDFS published an updated proposed second amendment (the 2023 proposal) to its 23 NYCRR Part 500 cybersecurity regulation.
  • This proposal applies to “covered entities,” which are defined as any person operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York banking, insurance, or financial services law.
  • The 2023 proposal was a response to feedback from industry groups and other stakeholders to the NYDFS’ proposed revisions that were published on Nov. 9, 2022.

New and expanded requirements

  • Class A companies. The proposal introduces a new category of businesses called “class A companies,” which are covered entities with at least $20 million in gross annual revenue from operations in New York and have more than 2,000 employees or more than $1 billion in average gross annual revenue over the last two years.
  • Governance. The proposal includes broader governance requirements, such as the need for board approval for cybersecurity policies.
  • Incident notice. The proposal expands cybersecurity incident notice and compliance certification requirements.
  • Asset inventory. The proposal contains additional requirements for maintaining an asset inventory.
  • Multifactor authentication. A revised multifactor authentication requirement has been introduced for user access to a company’s network.

Definitions and differentiations

  • The 2023 proposal introduces new definitions, including definitions for independent audit, privileged account, and senior governing body.
  • It also modifies the third-party service provider definition to exclude governmental entities.

Implications for regulated entities

  • The 2023 proposal would significantly expand the cybersecurity requirements for companies regulated by NYDFS, especially those classified as class A companies.
  • Some of the new requirements might necessitate extensive modifications to existing systems, such as the attributes required in asset inventories.

Broader impact

  • While these amendments are open for feedback, covered entities might benefit from considering how they would meet these requirements if they are finalized in a similar form.
  • Additionally, businesses not subject to the NYDFS regulation might benefit from reviewing these regulations to understand potential future trends, as NYDFS’ cybersecurity regulations have often been adopted or influenced regulations in other states and at the federal level.

Global perspective: Cybersecurity regulations beyond the U.S.

The interconnected nature of today’s digital world means that cybersecurity is a global concern. As cyberthreats evolve, governments worldwide are adapting their regulatory frameworks to address these challenges. Following is a snapshot of several 2023 updates in global cybersecurity regulations and other global cybersecurity landscape observations.

  • European Union (EU). The EU continues to be a pioneer in data protection and cybersecurity standards. While the General Data Protection Regulation remains a cornerstone, there are whispers of further enhancements to the Network and Information Systems Directive, focusing on bolstering network and information system security across member states.
  • Asia. The continent is witnessing a surge in cybersecurity frameworks. For instance, Singapore’s Cybersecurity Act has seen refinements to ensure critical information infrastructure owners remain proactive. Japan, on the other hand, is emphasizing the importance of swift incident responses in its Basic Act on Cybersecurity.
  • Australia. The Notifiable Data Breaches scheme in Australia has undergone revisions. The new emphasis requires organizations to notify affected individuals and take preventive measures to minimize data breaches.
  • Geopolitical instability. A significant finding from the World Economic Forum’s Global Cybersecurity Outlook 2023 indicates that 93% of cybersecurity leaders and 86% of business leaders believe that geopolitical instability is likely to lead to a catastrophic security event in the next two years. This shared concern underscores the need for international cooperation in cybersecurity.
  • Emerging technologies. The rapid adoption of emerging technologies, such as artificial intelligence and machine learning, is influencing the cybersecurity risk landscape. Organizations worldwide are grappling with the dual challenge of harnessing the potential of these technologies while managing the associated risks.
  • Geopolitical influences on strategy. The geopolitical events of 2023, including tensions arising from the Russia-Ukraine war, have significantly influenced global cybersecurity strategies. Organizations are investing more in understanding the evolving threat landscape and adapting their strategies accordingly.

Taking proactive steps

Cybersecurity Awareness Month is a good reminder that the realm of cybersecurity is not just about technology but also about global collaboration and shared responsibility. Organizations can take proactive steps to stay informed and empowered. Fostering a safer digital future is critical — and possible.

Cybersecurity Security assessments Cyber resilience CISO Regulation and compliance Cybersecurity management
Previous Post Next Post

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like yours update, expand, and reinforce protection and recovery systems.
Explore services