Titania, like several other individuals, organizations, and governments with operational interests in the US, is gearing up for the US National Cybersecurity Strategy.
Aimed at safeguarding the country’s digital infrastructure, the Biden administration presents the US National Cybersecurity Strategy as a comprehensive plan that outlines the government’s approach to cybersecurity and sets out measures to protect against cyber threats.
The strategy includes a range of initiatives such as increasing funding for cybersecurity research, enhancing information sharing and collaboration between government agencies and private organizations, and developing a skilled cybersecurity workforce.
It also outlines plans to strengthen critical infrastructure such as power grids and financial systems against cyber attacks.
The US National Cybersecurity Strategy has been well-received by cybersecurity experts, who see it as a much-needed step towards bolstering the country’s cyber defenses.
However, some have also raised concerns about the implementation of the strategy and the need for more concrete measures to be put in place.
Should business be concerned about the new US National Cybersecurity Strategy? We say, yes. Where do they start? We say, disclosures!
US National Cybersecurity Strategy: The bold and fine prints
Two core points of the 39-page document issued by the government were listed in the fact sheet published on March 2.
“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best positioned to reduce risks for all of us.
“We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.”
Simply put, the legal shield that protected large tech vendors from liability claims over their products’ security will be off, explained Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland.
Manufacturers and operators of critical computer systems will bear the responsibility of improving product security, reducing the burden on individual citizens for mitigating cybersecurity risks, he noted.
He highlighted two crucial points buried under all explanations: incident disclosure and ransomware attacks.
The US National Cybersecurity Strategy called for “improved sharing of information between the government and private sector about cybersecurity threats, vulnerabilities and risks”, he wrote.
“Interestingly, the strategy places great emphasis on the threat from ransomware as the most pressing cybercrime facing the U.S. at all levels of government and business. It now calls ransomware a national security threat and not simply a criminal matter.”
In other words, disclosure has become mandatory, and improper disclosure on incidents like ransomware attacks will be treated with the urgency of a national security threat.
The need for proper disclosure is the underlying but unmentioned clause of the three main goals of the US National Cybersecurity Strategy: to secure federal networks and data, to improve cybersecurity for critical infrastructure, and to enhance cybersecurity awareness and education.
US National Cybersecurity Strategy: All roads lead to disclosure
Extrapolate the three points on a business perspective, and we can see both challenges and opportunities.
While the strategy highlights the importance of public-private partnerships in combating cyber threats, it also places a greater emphasis on businesses to prioritize cybersecurity as a key part of their operations, pointed out Sarah Kreps, Director of the Tech Policy Institute at Cornell University.
One of the key initiatives outlined in the strategy is the need for businesses to adopt a “defense-in-depth” approach to cybersecurity.
This means implementing multiple layers of security to better protect against cyber attacks. Businesses are also encouraged to regularly assess their cybersecurity risk and prioritize their security investments accordingly. And yes, disclose and patch vulnerabilities.
Another initiative is the need for businesses to share more information about cyber threats and attacks with the government and other businesses. In short, timely and accurate disclosures of cyber incidents.
Ready to disclose, but how?
The US has a complex set of federal and state laws outlining different requirements for reporting security incidents, including data breaches. Incident disclosure is a fragmented game in the US, particularly because of the individual laws hosted by each state.
The rules are not consistent across states, with several having enacted new laws recently to enhance data protection requirements.
For example, New York has the SHIELD Act, while California and Colorado have both established data privacy legislation. The federal government is trying to unify data protection requirements through the National Cybersecurity Strategy, partly in response to the EU’s General Data Protection Regulation (GDPR).
What is a short and effective step to ensure compliance of most of the state laws? Follow GDPR!
A lot stricter than most of the US laws when it comes to disclosure terms, GDPR will help organizations meet US data protection legislation requirements.
“One of the keys to the GDPR is that data subjects must be fully informed about what is happening to their data, why it is being collected, how it will be used, who will be processing it, where will it be transferred, how they can erase it, how they can protect it, how they can stop its processing, etc,” noted and advisory on GDPR and American businesses, prepared by US law firm Dickinson Wright.
“The bulk of the consent and notification responsibility falls on the controller, but the processor and the controller have to work together to ensure the data subject’s rights are protected,” it added.
Organizations need to ensure that their incident response plans cover incidents across multiple territories and industry-specific requirements, and yes, the concepts of controller and processor.
“Simply put, “processing” personal data is basically collecting, recording, gathering, organizing, storing, altering, retrieving, using, disclosing, other otherwise making available personal data by electronic means. A “controller” is the entity that determines what to do with the personal data,” explained the Dickinson Wright report.
A year ago, the Securities and Exchange Commission (SEC) USA took an initiative to centralise the disclosure norms of companies that are listed in the US stock exchanges.
Among others, the proposed norms made “current reporting of material cybersecurity incidents” and periodic reporting to provide updates about previously reported cybersecurity incidents.
Proper disclosure: Role of a controlling body
Even before the centralization of norms, the SEC has been proactive in ensuring proper and timely disclosure of cybersecurity incidents and have penalised companies that violated the norms.
For instance, the securities watchdog put a penalty of $1 million on London-based education and publishing firm, Pearson, for deceiving investors about a 2018 data breach that resulted in the theft of millions of student records.
The agency found that Pearson made misleading statements and omissions about the data breach, where millions of student usernames, scrambled passwords, and administrator login credentials for 13,000 schools, district, and university customer accounts were stolen.
The SEC revealed that Pearson referred to the incident as a hypothetical risk in a semi-annual review filed in July 2019, even though the data breach had already occurred.
Similarly, the company stated in a release that same month that the breach may include dates of birth and email addresses when it was aware that such records had been stolen.
One of the main reasons for the proposed change is that the SEC noted some incidents were reported in the media but not disclosed by the affected companies in their periodic filings. Additionally, the SEC found that when disclosures were made, the nature and thoroughness of those reports were either inconsistent or incomplete.
To address this, the SEC is proposing uniform requirements on breach reporting, which include: disclosing the time and status of the breach, providing a brief description of the incident, disclosing any data stolen, altered, accessed, or unauthorized, disclosing the impact of the incident on the company’s operations, and reporting on any remediation efforts.
US National Cybersecurity Strategy and disclosure: A checklist for businesses
Although the disclosure norms under the US National Cybersecurity Strategy have not yet been finalized, companies can take certain steps to prepare for potential rule enforcement.
To do so, they should focus on their current cybersecurity technology stack, policies, and breach response procedures. Here is a checklist that can help companies prepare for the new SEC disclosure requirements if they are codified:
Review your cybersecurity policies and procedures
Companies should review and update their cybersecurity policies to ensure that they provide effective disclosure controls and procedures, including communication between the infosec team, those responsible for cybersecurity, and the legal team.
Policies and communication channels should facilitate prompt assessment and escalation of detected cybersecurity incidents. Reviewing and updating policies will ensure the right process, oversight, and compliance with new disclosure requirements.
Revamp board oversight structures
Boards should consider whether to delegate responsibility for overseeing cybersecurity disclosures to a specific committee. Companies should also assess the amount of time the board spends addressing cybersecurity during meetings and allocate more time if necessary.
Improve cybersecurity capabilities of executives
Companies should prioritize executives with cybersecurity experience and capabilities when conducting executive candidate search and hiring processes. They should also consider whether their assessments of executive experience align with the criteria proposed by the SEC, as those executives will appear on disclosures, annual reports, and proxy statements.
Maintain optimum disclosure norms
The best way to prepare for any new rule changes is to maintain optimum disclosure norms.
Companies should enlist an experienced cybersecurity and compliance partner to audit and amend their cybersecurity policies and procedures. They should also train legal, infosec, and operational teams on breach prevention, response, mitigation, and reporting.
In conclusion, companies should begin learning about the specific clauses and details of the new disclosure requirement document while implementing data loss prevention software and other technology tools to mitigate the risk of cyber threats.
Organizations should be prepared to comply with the SEC’s new disclosure framework before any incident occurs. By doing so, businesses can improve security culture and enhance transparency for both the stakeholders and the US National Cybersecurity Strategy compliance.