19th October 2022 • Park Plaza Victoria, London
Real cybersecurity regulation is good news for CISOs
Data privacy has dominated regulators’ thinking in the past few years but that is changing. New regulation around resilience and cybersecurity itself will transform the role of the CISO and the cybersecurity function – or at least it should.
The regulators are on the case. Operational resilience in critical sectors of the economy is now a key focus. Data privacy legislation is well established. And fines for cyber-related misconduct are beginning to be imposed. Just recently, the U.S. Securities and Exchange Commission (SEC) signalled a significant change in how it thinks about what constitutes a threat to companies: It now considers cyber vulnerabilities to be an existential business risk.
This was evident in fines levied against two companies over inadequate disclosures of cybersecurity issues — British publishing company Pearson PLC and First American Financial Corp. In mid-August, the SEC announced that Pearson had agreed to pay $1 million to settle charges that it misled investors following a 2018 breach and theft of millions of student records. And in June, the SEC announced another settlement and $500,000 fine against real estate services company First American Financial for lack of disclosure controls following the discovery of a vulnerability in its system that exposed 800 million image files, including Social Security numbers and financial information.
These fines signal a major shift, and one that could profoundly change the way companies think about cybersecurity threats, communicate internally about these threats, and disclose breaches.
And there is much more regulation coming: March 2022’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
In the same month, the US Securities and Exchange Commission (SEC) proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight. The latter, Amend Item 407(j) of Regulation S-K, “require[s] disclosure about if any member of the registrant’s Board of directors has cybersecurity experience.” This is a Sarbanes-Oxley moment for cybersecurity, and it will be a game-changer.
And CISOs also should check the updates to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the proposed the Healthcare Cybersecurity Act (S.3904).
What happens in the US happens elsewhere and Europe is already on the case with DORA, and two other regulations (a Cybersecurity Regulation and an Information Security Regulation) which the EU describes as “a milestone in the EU cybersecurity and information security landscape.” Mandatory security regulations mean standards, budgets and, finally, real Board attention.
