Cyber incidents have been increasingly on the rise. In a 2016 PwC survey of businesses worldwide, 86 percent of respondents reported exploits of operational, embedded and consumer systems. Hacking and other cyber incidents are also shown to be growing now by nearly 40 percent every year.
Governments around the world are responding to this surge by playing an active part in releasing guidance and regulations for corporate information security, as well as engaging with the private sector on best practices designed to achieve stronger safeguards while protecting confidential information from loss and theft.
In the U.S. alone, Congress has introduced more than 240 bills, amendments and other legislative proposals in the past three years, in an attempt to find a stable ground for the ever-changing landscape of cybersecurity. Governments are requiring companies and other organizations to implement cybersecurity controls ranging from mandated requirements for government-related data and industry sectors labeled as “critical infrastructure,” to legal obligations to protect confidential information in specific ways.
Other regulatory areas, such as securities and unfair competition, are also expanding mandates to require cybersecurity as a key aspect of corporate compliance.
These new requirements are often inconsistent among different governments, between different agencies of the same government, and from industry to industry. One of the major unknowns for companies is whether they can embrace one overall information security framework, or whether they will face a splintered environment with an unmanageable number of different corporate, industry and government requirements, standards and practices.
The diversity and complexity of cybersecurity risks, and their evolving character, have caused governments to respond in many different ways. Some governments are taking action directly to require the cybersecurity of various public and private networks and systems, while others are encouraging the development of voluntary frameworks and best practices that industries can choose to adopt.
Some new requirements are fairly general, and others are both specific to the protection objectives and prescriptive to the measures required. And some requirements are being mandated by specific government legislation, while others are being implemented by regulatory agencies or as the result of agency or law enforcement actions, or private lawsuits.
Here are the top five things you should know about the coming wave of new cybersecurity regulations as discussed in CREATe’s new whitepaper.
1. Evolving direct requirements in critical infrastructure sectors
In the U.S., existing information security safeguards have been imposed on the financial services and health care sectors – the Gramm-Leach-Bliley Act of 1999, the Federal Trade Commission’s Safeguards Rule, Health Insurance Portability and Accountability Act of 1996, and the Department of Health and Human Services’ Security Rule.
There is a move from mandates to simply protect individual’s interests to affirmative cybersecurity management requirements that protect critical infrastructure. For example, HHS’s Security Rule has already investigated and resolved more than 24,000 enforcement cases against health sector entities and their business associates for noncompliance.
Likewise, new legislation is appearing in Europe and Asia that will impose cybersecurity expectations on a significant range of private-sector “essential” service industries, including energy, transport, banking, financial markets, health, public water and digital infrastructure. Example legislation includes:
European Union (EU) NIS Directive. The proposed Network and Information Security (“NIS”) Directive — provisionally agreed by the EU Commission, Parliament and national governments in December 2015 and formally approved in April 2016 — requires national governments and designated industry sectors to implement particular programs and protections to “manage risks posed to the security of networks and information systems.”
German Information Technology (“IT”) Security Act was adopted in July 2015; expected secondary legislation will further specify the Act’s coverage.
China Cybersecurity Law is currently being considered by The National People’s Congress of the People’s Republic of China and would hold Chinese and multinational companies responsible for protecting their users from data breaches.
Japan Cybersecurity Basic Act was instituted in 2014 by theJapanese government, requiring infrastructure and cyber-related businesses to take voluntary measures to enhance cybersecurity and cooperate with the government on implementation. As part of its 2015 Cybersecurity Strategy, the government is also working with industry to review recommendations for improving protections of critical infrastructure and deterrence capabilities.
2. Cybersecurity requirements extending to government departments.
The U.S.’s Federal Information System Modernization Act in 2014 (FISMA) calls for the head of every government agency to implement information security protections that are commensurate with the risk and magnitude of harm that would result from the unauthorized access, use, disclosure, disruption, modification or destruction of the agency’s data or its information systems.
These required protections also extend to the information systems of its contractors and other users on the agency’s behalf. Each agency will be mandated to appoint a Chief Information Officer and develop its own information security program.
The European Union’s NIS Directive will place similar obligations on respective national governments and agencies, including the cooperation between the public and private sectors.
3. New requirements for protecting trade secrets
Recent legislative proposals, legislation and cases in the U.S., Europe and elsewhere signal a rush of emerging new mandates about how industry should implement cybersecurity protections for valuable confidential business and technical information (i.e., trade secrets).
The trend to closely examine a trade-secret owner’s cybersecurity efforts no doubt will continue as the theft of such material by cyberattack continues. Cybersecurity, therefore, has a dual purpose: protecting information against unauthorized disclosure, and providing key evidence of a company’s efforts to protect its assets, which is required by most countries’ domestic law and is presented during the legal process when those protections have failed to prevent misappropriation. (Learn more in the CREATe Whitepaper: "Reasonable Steps" To Protect Trade Secrets.)
4. New securities laws and cybersecurity requirements
In the U.S., standards of practice are evolving from shareholder litigation and SEC guidance and enforcement. The Cybersecurity Disclosure Act of 2015, if adopted, would require public companies to disclose in their securities filings whether any members of their board (or other governing body) have expertise or experience in cybersecurity.
Last year, the SEC brought and settled an enforcement action against the investment adviser R.T. Jones Capital Equities Management for failing to adopt adequate policies and procedures to protect customer data against cyber threats under Regulation S-P. Additionally, shareholder derivative lawsuits have followed cybersecurity breaches, such as the highly publicized incidents at Target, Wyndham and Home Depot.
5. Unfair competition/trade law requirements related to cybersecurity
The U.S. Federal Trade Commission issued a "Cybersecurity Guide for Business” in June 2015, which will also be used as a benchmark in future FTC cases. The FTC asserts that if such companies are misrepresenting the security measures that they are taking to protect consumers’ personal information, and failing to safeguard personal information in ways that damage consumers, they are engaged in unfair and deceptive practices.
A federal district court case against the Wyndham Worldwide Corporation hotel group following data breaches charged that Wyndham’s security measures were inadequate for failing to include protections such as complex user IDs and passwords, firewalls and network segmentation.
For more information on government cybersecurity regulation and how to prepare for increased requirements, download CREATe’s new whitepaper: Cyber Risk: Navigating the Rising Tide of Cybersecurity Regulation.