A new blog post from law firm Wiley takes a high-level look at some of the cyber policy issues that dominated the news cycle in 2023 and provides insights into next steps for 2024 and what to watch.
“As the cost of responding to cyber-attacks keeps mounting, federal and state regulators have responded with increased regulations and disclosure requirements enhancing the complexities associated with responding to ransomware attacks and data breaches. This is a key inflection point in cyber policy, as the federal government touts harmonization while agencies proceed in varied directions,” the Jan. 2 post says.
The post highlights 10 policy issues to consider in 2024 including harmonizing incident reporting regulations, new cyber mandates, activities around zero trust and software assurance, disclosures under the Securities and Exchange Commission’s incident reporting rule, and the potential intersection of artificial intelligence and cyber policy.
Megan Brown, Partner, Wiley Rein
The post was written by Wiley’s Megan Brown, Kathleen Scott, Jacqueline Brown, Sydney White, Tyler Bridegan and Joshua Waldman.
Wiley argues, “2024 may be the year that incident reporting mandates reshape the cyber landscape. Government agencies are layering new and varied rules on top of the existing patchwork of state breach reporting and are taking a variety of approaches that may complicate compliance.”
The post specifically refers to the upcoming proposed rule from the Cybersecurity and Infrastructure Security Agency on incident reporting.
It says, “CIRCIA gave DHS two years to develop the proposed rules and their issuance in the New Year will provide critical infrastructure entities and related trade associations with an important opportunity to comment on how the prospective new reporting obligations will impact their operations. We continue to urge critical infrastructure owners and operators to consider making comments on the new draft rules to help define which companies need to report what types of incidents.”
Other incident reporting rules, according to Wiley, to watch include the SEC’s requirements that went into effect last month, new data breach reporting obligations at the Federal Communications Commission and amendments adopted in November to the New York Department of Financial Services’ cyber requirements for financial companies.
The post also notes that the Office of the National Cyber Director sought feedback in 2023 on how to harmonize cybersecurity regulations through a request for information. The post says, “The RFI offered stakeholders with an important opportunity to reiterate to the federal government the importance of harmonization and deconfliction in the cybersecurity arena.”
The second policy area is new cyber mandates where Wiley asks how far the requirements will go. Wiley notes CISA’s cross-sector cyber performance goals are intended to be voluntary “but are being identified by regulators as part of new requirements.”
In addition, the post highlights CISA’s secure by design principles updated in October, arguing that the “move to recommending secure-by-design further highlights the government’s embrace of cybersecurity performance goals, originally developed for critical infrastructure, as setting an important bar for other sectors as well.”
Wiley also notes security directives issued by the Transportation Security Administration for rail, pipelines and aviation, as well as state regulations in New York and California.
The post says, “It remains to be seen how these regulations unfold—especially given the legal issues around authority that we discuss below—but for the time being, agencies appear to be heeding the National Cybersecurity Strategy’s call for more regulation.”
The post raises questions over software development and assurance mandates, referring specifically to the secure software self-attestation common form in the works from CISA and the Office of Management and Budget.
The post says, “With mandates for government contractors coming soon, and the government continuing to emphasize changes to software development business practices, companies should be looking to assess their existing programs against government guidance, engage with the appropriate agencies to help them understand existing practices and tradeoffs, and consider expanding compliance programs to address new requirements.”
The SEC’s incident disclosure will have an impact on “public discussions of cyber incidents,” the post says, in another major policy area to watch. The post says, “The SEC’s enforcement actions related to cybersecurity take on a new urgency in 2024.”
Wiley argues, “Now that the SEC rules are in effect, the press, regulators, and even criminals are closely watching for cybersecurity incident disclosure 8-Ks. Coverage of these disclosures is likely to drive significant public conversation about ongoing cybersecurity incidents.”
The post explains how the SEC requirement is to report within four days of a material cyber incident. It says, “Companies will need to develop and practice their capabilities to produce the mandated disclosures in compliance with the SEC’s rule amidst the atmosphere of uncertainty and disruption that material cybersecurity incidents bring.”
Wiley considers in another section how the 2022 Cyber Incident Reporting for Critical Infrastructure Act will shift CISA’s role and impact the agency’s relationships with the private sector.
The post says, “The private sector should be watching how CISA defines the incident information required to be reported. An overly broad definition combined with an expansive scope of the contents required in incident reports could result in CISA collecting unmanageable amounts of data that bogs down analysis and sharing across critical infrastructure sectors, two of the key goals of CIRCIA.”
It continues, “CISA’s ability to act as a partner collaborating to reduce critical infrastructure cyber risk may be impacted by CISA’s implementation of the new regulations. In particular, the private sector should be interested in whether CISA will be able to manage these dual roles and whether critical infrastructure entities may be more reluctant to be forthcoming with sharing information on threats and mitigations through existing collaborative mechanisms.”
Finally, the post considers how artificial intelligence and cyber policy could interact as regulatory interest in AI “explodes.”
“The FCC, FTC, SEC and other agencies are looking at particular regulatory questions as dozens of workstreams were kicked off by a recent Executive Order, 14110, The Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. At the same time, Congress has dozens of draft bills and state legislatures and regulators are also taking action,” the post says.
Wiley argues, “Many of the reasons for interest invoke security issues.”
The post concludes, “We set up a working group at Wiley to address cross-sector AI issues, and we are closely following for 2024 how regulators and legislators will address AI and whether cyber will drive new regulation of AI.” -- Sara Friedman (firstname.lastname@example.org)