Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to track and respond to cyber incidents. Organizations subject to these actions will need to evaluate how such actions may apply to them and take necessary measures to comply. Organizations should also note that these actions are just examples of a larger whole-of-government effort to bolster the nation’s cybersecurity and address cyberattacks—organizations should expect and watch for additional cyber regulations that may impact their operations.

The Biden Administration

At the forefront of this increased focus on cybersecurity is the Biden Administration’s goal to get the federal government’s cyber protections in order as it encourages private entities to do the same. In May 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity, calling on government agencies to strengthen and protect their data and information-security infrastructure. The SolarWinds hack demonstrated the extent to which government agencies are vulnerable to cyberattacks, especially as a result of open-source software and third-party dependencies that support so much of the federal government’s activities. The Executive Order aims to update and improve government systems and, by mandating software bills of material, improve visibility into hidden vulnerabilities that may exist in the government’s software and systems.

U.S. Securities and Exchange Commission

Entities regulated by the Securities and Exchange Commission (SEC) already face increased cyber-related scrutiny. For example, public companies must already disclose material events related to cybersecurity and cyber risk, and financial sector registrants must comply with Regulation Systems Compliance and Integrity (also referred to as Reg SCI), which requires that self-regulatory organizations have sound technological programs. Broker-dealers, investment companies and investment advisors must also adopt written policies and procedures addressing the protection of customer information and records under Regulation S-P.

In 2018, the SEC issued interpretive guidance on public company cybersecurity disclosure requirements. The guidance calls for companies to use a quantitative and qualitative analysis to determine the materiality of a cyber risk or cyber incident. Under the guidance, public companies should consider the nature of the risk and the range of harm associated with the cyber risk or incident.

Although the interpretive guidance remains the most comprehensive SEC guidance on cyber-related disclosures to date, on March 9, 2022, the SEC proposed rule amendments to mandate the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy and governance. The amendments would require the disclosure of material cybersecurity incidents on a Form 8-K within four business days of determining the event was material, and periodic reporting of certain policies and procedures.[1] The rule also suggests that multiple nonmaterial events may aggregate into a material disclosure requirement.

The SEC’s Enforcement Division is also responding aggressively to cyber incidents. In 2021, the SEC sanctioned eight firms for failures in cybersecurity policies and procedures, settled charges against a real estate settlement services company for cybersecurity-related disclosure controls violations, and reached a settlement with a company for misleading investors about a cyber intrusion. Following the SolarWinds incident, the SEC asked over 100 entities to voluntarily provide information about the impact the SolarWinds breach may have had on their businesses. The SEC asked the entities to disclose whether they had failed to make any required disclosures in connection with the incident. However, the SEC also asked for information on unrelated “Other Compromises” that could evidence disclosure violations.

The increased cyber enforcement trend does not show signs of slowing down. On May 3, 2022, the SEC announced that it had nearly doubled the size of the Enforcement Division’s Crypto Assets and Cyber Unit. The unit has brought over 80 enforcement actions since its founding in 2017. With the addition of 20 new positions—consisting of supervisors, investigative staff attorneys, trial counsels and fraud analysts—enforcement actions in the crypto and cyber spaces are sure to continue.

Office of the Comptroller of the Currency

On April 1, 2022, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the Federal Reserve Board implemented a rule requiring banking organizations to notify their primary federal regulator after an incident affecting or disrupting bank operations is discovered “as soon as possible and no later than 36 hours.” The rule also requires bank service providers to notify their banking organization customers when they experience an incident.

FinCEN

In November 2021, the Financial Crimes Enforcement Network (FinCEN) issued an advisory indicating that money services businesses and other entities subject to the Bank Secrecy Act should file a suspicious activity report if they think a ransomware payment is processed through them. FinCEN is using the data to track ransomware groups and quantify the ransoms they are able to extract. For example, FinCEN noted that Darkside and Sodinokibi/REvil, the groups behind the Colonial Pipeline and the JBS and Kaseya attacks, respectively, accounted for 458 reported ransomware-related transactions in the first half of 2021, with a total value of $590 million.

Takeaways

These actions demonstrate that additional scrutiny of cyber protections and cyberattacks is here to stay. Now more than ever, cybersecurity is not just an “IT” problem but an issue that must be addressed by management as a core enterprise risk. A failure to address cybersecurity is increasingly likely to result in harm to business operations, regulatory scrutiny, and difficulty securing business with government and private-sector business partners.