Cybersecurity regulations seek to standardize safety procedures and mitigation measures to strengthen the organizational response to cyberattacks. Cybersecurity regulations distill the concerted efforts of regulatory agencies, cybersecurity experts, and governments to offer rational and actionable advisories. These regulations are not one-time measures but organic, evolutionary systems to tackle the changing threat landscape.
What are cybersecurity regulations?
Cybersecurity regulations are rules and directives that help safeguard digital systems, computers, and information technology assets from cybercriminals. When implemented, it is a mechanism that equips companies to protect their digital infrastructure and information from cyberattacks like social engineering, malware, privilege escalation, distributed denial of service (DDoS), etc.
Cybersecurity regulations weave a web of compliance that is valid globally. These regulations also comprise directives towards establishing responsibility and accountability to ensure that top corporate leaders practice security and risk issues thoughtfully and strategically.
What we don't know about cyberattacks and incidents
Today, most countries either do not have cybersecurity regulations and compliance or focus on privacy rather than security. However, privacy without security is not possible. If sensitive corporate details or Personal Identifiable Information (PII) gets stolen, there are specific authorities to whom we can report. Earlier, when ransomware or DDoS attacks occurred, companies were not obligated to report them since no personal details were stolen or breached. Recently, CISA made it mandatory for companies to report such incidents.
Underreporting of cybersecurity incidents is a severe issue. According to some studies, only 25% of total incidents get reported. Another report draws a scarier picture; it claims that only 18% of incidents get reported. Wall Street Journal (WSJ) says less than 10% of incidents get reported.
What gaps existed in previous cybersecurity regulations?
To tackle the underreporting, the US government, the Security and Exchange Commission (SEC), and other cybersecurity agencies have mulled new rules and security regulations. Companies must report all cybersecurity incidents according to these new rules and security regulations. The regulations are binding on industries with critical infrastructure like healthcare, finance and communication, energy, etc. Under this new regulation, companies must report ransomware and DDoS attacks.
In June 2021, the US government signed two bills incorporating measures to improve the nation's cybersecurity. The law envisages a federal cyber workforce and promotes coordination on various security matters at multiple governments and private organizations tiers.
According to the latest set of cybersecurity regulations, there are various situations government and private organizations must note as incidents to report and take proactive measures against them. For example, consider a scenario where an attacker tries to log in to the system but gets denied because the system has multi-factor authentication or the password is incorrect.
If the network administrator or security professionals identify this attempt, they should flag it as an "imminent threat." Again, if security professionals recognize cyber threats like Log4j vulnerability or other zero-day vulnerabilities, they should report them. They should also immediately deploy an incident response team to fix the problem. Another situation arises when an attacker gets into the system but is identified by security professionals and expelled.
Companies and regulators should address all these ambiguities and scenarios by incorporating the new cybersecurity regulations. A proper repository of all the latest attack information and their details can drive all companies to safety. Companies can easily tackle such threats when there is sufficient information about what the attacker is trying to gain.
According to a recent study by the HIPAA journal, 288 out of 200,000 vulnerabilities from the National Vulnerability Database (NVD) are getting exploited actively. Such information helps companies prioritize which vulnerabilities to address first. Also, cybersecurity consultancy experts like Packetlabs deliver proper guidance on adhering to cybersecurity regulations and reporting.
What should companies do to adhere to new regulations?
Reevaluate company policies and procedures: Companies subject to SEC regulations should reevaluate their policies to determine whether "materiality" applies to the new regulations.
Maintain a Software Bill of Materials (SBOM): Most companies are unaware of the vulnerabilities like log4j that might exist in their system because they do not know the materials that come bundled with various software packages. So, the new cybersecurity regulations propose that companies maintain a detailed and updated SBOM. This will help security professionals quickly evaluate the software embedded within the complex computer system.
Keep cyberattack guidelines up to date: Follow the cybersecurity regulations changes closely as they directly impact insurance payouts after an attack. Proper adherence and reporting mechanisms help simplify regulatory intervention after an incident.
Cybersecurity regulations depend on proper reporting of incidents for their efficacy. Also, adherence to norms helps victim organizations mitigate the situation better while simplifying the procedures for claiming insurance. With more regulatory agencies, experts, and governments entering the mix, regulations are likely to become more stringent.
Sign up for our newsletter
Get the lastest blog posts in your inbox biweekly!