When it comes to cybersecurity governance, 2023 stood out as one of the most eventful in a very long time. With everything from the enactment of stronger new cybersecurity regulations around incident disclosure from the Securities and Exchange Commission (SEC) to significant changes afoot for financial and cloud services providers operating within the European Union, many companies worldwide will be called to adjust to a new normal in 2024.
New rules, strategies and cybersecurity frameworks out last year will affect enterprise risk and security teams in the year to come—some profoundly. Each has the potential to change enterprise governance and cyber risk management programs, whether it's how enterprises protect their systems or how they are positioned to disclose security incidents to better understand the compliance obligations among business partners and suppliers.
Here are five (5) developments that will push CISOs and risk leaders to up their game. All will require increased levels of visibility and board reporting that will cause even the most mature cyber programs to flex their asset visibility, exposure management, and communication strategies in the year to come.
The SEC Adopts New Cybersecurity Disclosure Rules
In July, the SEC adopted new rules on companies under its purview that require the disclosure of material cybersecurity incidents and to provide the commission with an annual update detailing their cybersecurity risk management, strategy, and governance programs. Foreign private issuers are not off the hook: the SEC ensured the rules also apply to them. The new SEC rules also require companies to publicly disclose material breaches' scope, timing, and reasonable material impact.
Shortly after these new rules were announced, the SEC brought charges against the SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy Brown. Some in the industry contend this action merely indicates that cybersecurity has become core to a company's fiduciary responsibilities. In contrast, others say in the complaint the SEC is holding CISOs roles and responsibilities to a standard that they can't meet because they don't have the authority to execute their security and risk management program to the degree the SEC assumes in the complaint. Time will tell how this controversy shakes out as the case winds through the courts.
The National Cybersecurity Strategy
In March, the White House published the National Cybersecurity Strategy. The strategy aims to shift the burden for cybersecurity away from individuals, small businesses, and local governments and onto the organizations that are most capable and best positioned to reduce risks—that typically means larger enterprises, software and hardware makers, and those businesses that operate within the critical infrastructure.
The National Cybersecurity Strategy also stresses all organizations' need to balance current cyber threats with long-term cybersecurity resiliency by effectively defending against today's threats and investing in long-term cybersecurity systems and controls.
Since the Clinton administration in 1998, every presidential administration has issued a plan to secure cyberspace, or at least some corners of it, such as critical infrastructure. Progress has been slow. Perhaps events in recent years will prove a more significant catalyst than events in the past. Time will tell.
The New York Part 500 Cybersecurity Regulations
In November, the New York Department of Financial Services (NYDFS) published the first significant updates to its Part 500 Regulations since those regulations were initially published in 2017. The New York Part 500 Cybersecurity Regulations, also known as 23 NYCRR Part 500, are rules by the NYDFS requiring covered financial services firms to assess their cybersecurity risk profile and implement a comprehensive cybersecurity program. The companies covered by the NYDFS 23 NYCRR Part 500 typically include financial institutions, banks, and insurance companies.
One of the most consequential changes is adding a new entity class known as a "Class A" entity. A Class A entity is an organization covered by NYDFS 23 NYCRR Part 500. It is a company with over 2,000 employees and at least $20 million in gross annual revenue in the last two years, or over $1 billion in revenue in the previous two years.
Class A entities now have more stringent requirements. They must design and conduct independent cybersecurity audits, implement endpoint anomaly detection, and centralize their logging unless the CISO details an exemption reason in writing. They must also implement more excellent controls over privileged accounts and passwords.
CISOs are also now required to report to their senior governing body or other senior executives on material cybersecurity issues, including "significant cybersecurity events and significant changes to the covered entity's cybersecurity program."
Regarding cybersecurity, financial services firms are already among the most mature. Meeting these requirements should be an exercise in mostly reporting cybersecurity work already being done to the NYDFS. If not, 23 NYCRR Part 500 is a good reason to catch up.
The Digital Operations Resilience Act arrives
The Digital Operations Resilience Act, or DORA requirements, sets out concrete measures covering new security operations that all financial services firms that operate within the European Union (EU) must perform. These new rules include stricter controls and operational continuity plans, identifying their digital technology risks, submitting reports on digital technology-related incidents, test preparedness, and ensuring digital technology third parties are also resilient.
Penalties or criminal sanctions are written directly within the DORA regulation, yet individual EU nations will institute their own penalties and criminal sanctions. These can include fines of up to 10 million euros or 5% of the total annual revenue within that nation or up to 2% of the total annual worldwide revenues.
The new regulations extend beyond EU-based financial services and technology services providers to include all companies that provide these services in the EU. All these entities should ensure they're operating within compliance with the new rules.
Like the NY state regulatory rules, most of these institutions should already be performing the work covered by DORA, and compliance should be as straightforward as layering a reporting structure on top of their existing program. DORA is also an excellent reason to get caught up for those where this isn't the case.
The President's AI Security and Safety Directive
The AI directive published by the White House issued in September 2023 may —or may not— cause some enterprises to pump their brakes in their implementation. The Executive Order calls for safety and security standards to apply to AO, new consumer and worker safeguards, and anti-bias systems to be developed by federal agencies and the makers of LLM AI models. The presidential directive also hopes to encourage security testing standards to be developed through public-private collaboration.
In terms of immediate impact, the executive underscores a proactive regulatory stance, urging businesses to swiftly align their AI strategies with the rapidly evolving legal framework around this technology. Organizations will also want to pay close attention to any bias in their home-developed models, the security of their models, and the data that feeds into their models and to ensure that their AI systems live up to the privacy and security promises their organization makes.
It's apparent from the data breaches we've witnessed and the significant actions taken by regulatory agencies in the past year that we're entering a new age in enterprise risk management and cybersecurity. Those enterprise security and risk management teams with the mature cyber risk management and cybersecurity programs in place will be able to adapt best going forward.