Cybersecurity Regulation – How are U.S. Policies Evolving to Combat New Threats?
During the past decade, with cyber-attacks on the rise, legislation surrounding cybersecurity efforts has been a point of interest for the United States government. In 2018 alone, 35 states, as well as D.C. and Puerto Rico, introduced or considered more than 265 bills or resolutions related to cybersecurity. As cybersecurity continues to be a concern for government, as well as public and private sectors, how will policies evolve to protect sensitive information and prevent data breaches? We’ve presented a brief snapshot of the most recent updates within cybersecurity regulation, as well as what you can expect to see from the Securities and Exchange Commission in 2019.
Federal Cybersecurity Regulation
2018 was an eventful year for the Cyber Unit at the Securities and Exchange Commission. Over the course of the year, the SEC brought forward 20 stand-alone cases and 225 “ongoing” cases related to cybersecurity. According to the Harvard Law School Forum on Corporate Governance and Financial Regulation, the SEC made noteworthy moves in three different areas:
- Issuing long-awaited guidance concerning cybersecurity disclosure issues for public companies.
- Commencing enforcement actions against several companies for cyber-related ball drops.
- Issuing an investigatory report about internal control failures relating to cyber or “business compromise” email fraud, which resulted in $100 million in losses.
Perhaps one of the most notable cases pursued by the SEC in 2018 was their $35 million settlement over the Yahoo! data breach. The SEC fined the multi-billion-dollar company for failing to publicly disclose a large and detrimental hacking attack. Management at Yahoo! waited almost two years to disclose to investors that hackers had stolen the personal information of hundreds of millions of Yahoo! users. The regulatory action taken by the SEC was the first of its kind – this was the first action ever taken based on a cybersecurity disclosure violation. The settlement with Yahoo! is just one example of the many cases brought forward by the SEC during 2018 based on cybersecurity regulation and protection.
While there is currently no overarching framework legislation in place in the United States, the federal government has enacted several statutes relating to data security and risk regulation. Some of the more well-known government regulations include the Health Insurance Portability and Accountability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, and the Homeland Security Act, which features the Federal Information Security Management Act (FISMA). These three acts apply mainly to healthcare organizations, financial institutions, and federal agencies, respectively.
Beyond these three core acts, which were all established during the 1990’s and early 2000’s, policymakers have continued to push for tougher regulations as cyber threats grow more advanced and lethal. 2015 was a particularly strong year in terms of garnering attention from key policymakers and enacting new regulations surrounding cybersecurity. During 2015, Congress made great strides in cybersecurity policy, passing four new measures: The Cybersecurity Enhancement Act of 2014, The Cybersecurity Information Sharing Act, The Federal Exchange Breach Notification Act of 2015, and The National Cybersecurity Protection Advancement Act of 2015. As new cyber concerns emerge, it will be interesting to see how federal lawmakers amend these acts to account for changes in threat risk.
State Cybersecurity Regulation
Although the federal government has yet to enact an all-encompassing framework to guide commercial cybersecurity law in the United States, state governments are working to pass more stringent and relevant policies that cater to their states’ specific industries and unique business environments. According to the National Conference of State Legislatures,
“States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more.”
Some of the key areas of legislative activity many states have zeroed in on include improving government security practices, providing funding for programs and initiatives, regulating public disclosure of sensitive government cybersecurity information, and furthering workforce, training, and economic development. The National Conference of State Legislatures provides a full list of the cybersecurity regulations each state attempted to enact during 2018.
Looking forward, the Securities and Exchange Commission has established five regulatory priorities for 2019:
- Cybersecurity Risk Disclosures
- Timely Disclosure of Cybersecurity Incidents
- Insider Trading Controls
- Effectiveness of Data Security Policies
- Internal Accounting Controls
Several of the cybersecurity cases pursued by the SEC in 2018 involved the issues listed above. Whether it was Yahoo!’s tardy disclosure of a cyber-attack, Equifax’s insider trading scandal, or Ameriprise’s over-dependence on automation technology to detect employee fraud, these major incidents have pushed the Commission to reinforce their cybersecurity initiatives and plans going forward. With cyber-attacks becoming increasingly sophisticated and challenging to detect and eliminate, it’s imperative that the policies protecting businesses and consumers alike are evolving similarly in scale alongside these threats.
If you have concerns and/or questions about how current cybersecurity regulations affect you and your business, the security experts at Envision can help you make sense of it all. Contact us today to start a conversation about how these regulations may impact your unique business operations and policies.