Disclaimer: This blog offers general information and should not be considered legal advice. Consult your own legal counsel for specific advice.
As Cybersecurity Awareness Month comes to a close, the conversation around cyber law persists. The global landscape of cyber regulations continues to grow rapidly as governments around the world acknowledge the need for robust cybersecurity measures to protect national security, public safety, and individual privacy. Recent key regulations include:
- Starting December 2023, the U.S. SEC Cybersecurity Disclosure Rules mandate public companies to report material cybersecurity incidents within four business days via 8-K filings. These rules also require disclosure of cybersecurity risk management processes in 10-K and other periodic reports.
- The EU NIS2 Directive compels all EU member states to implement laws by October 18, 2024 to protect essential and important organizations from cyber threats and achieve a high level of common security across the EU.
This blog contains a comprehensive list of over 30 recent global cyber regulations and guidelines, including effective date and the applicable entities and sectors. More regulations are expected from state regulators, government agencies and industry bodies in the coming months.
Why Do All Organizations Need to Know These Rules?
Even if an organization isn’t a government agency, a public company, or in a regulated industry, it may still be affected by these rules due to “supply chain flow-down.” A company not categorized as a “critical infrastructure” under the regulations can impact a critical infrastructure customer’s compliance with its reporting obligations in case of a cyber breach. Similarly, manufacturers of IoT device components or data analytics providers can also find themselves subject to these regulations through their customer relationships.
If an organization has a customer (or a customer of a customer) that is a government agency, a critical infrastructure or in the regulated industry, these rules would apply to some extent.
Be Informed, Not Overwhelmed
We summarized the general themes of these cyber rules below to help an organization stay ahead of the curve:
Theme #1: Prescriptive Must-Haves
Rather than leaving it to organizations to adopt best practices, many regulators now specify a list of must-haves. For example:
- The U.S. FTC Safeguards Rule, effective June 2023, specified 9 elements of a “reasonable information security program” for all covered financial institutions.
- The New York Attorney General, in April 2023, highlighted findings from recent investigations and offered guidance in 9 specified areas.
- EU NIS2, similarly, highlighted 10 minimum standards for its 27 member states to implement in their national laws by October 18, 2023.
Theme #2: Enforcement “teeth”
To address inconsistent supervision and enforcement across different governments and agencies, NIS2 Directive requires each member state to mandate a penalty up to 2% of global annual revenue or EUR 10 million. NIS2 further provides a minimum list of supervisory means, including “regular and targeted audits, on-site and off-site checks, request of information, and access to documents or evidence.”
Penalties for non-compliance include not only sanctions for the organization, but also civil and criminal liabilities against supervising executives. The recent SEC charge against Solarwinds’ CISO, the FTC order against the former Drizly CEO and the DOJ’s criminal conviction against the former Uber Chief Security Officer served as fresh reminders of personal accountability.
Theme #3: Faster and Broader Incident Reporting
Many countries already have laws that require reporting of personal data breaches. Recent rules expand such requirements beyond personal data to business data, such as access credentials, material business information and IoT devices.
Another new development is the faster and multi-stage reporting. Under the NIS2 Directive, affected companies have 24 hours to submit an early warning to competent national authority. The early warning should be followed by an incident notification within the 72 hours of becoming aware of the incident and a final report no later than one month later. The U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), similarly, requires a critical infrastructure to report to CISA covered cyber incidents within 72 hours of reasonable belief that the incident occurred. If the incident involves a ransom payment, the reporting time would be shortened to 24 hours.
Theme #4: Unified Certification, Attestation, etc.
The regulations aim to promote a unified certification approach to ensure consistent and standardized security measures across the critical infrastructure supply chain.
One effort in this regard is the U.S. Department of Defense (DoD)’s CMMC 2.0 update. CMMC means the Cybersecurity Maturity Model Certification (CMMC 2.0) that applies to sensitive unclassified information shared by the DoD with its contractors and subcontractors. NIS2 Directive, similarly, recommends its member states to require essential and important entities to procure products and services certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881.
For more details around these recent developments, check out the recording of our Webinar “Quick Guide to Global Cyber Laws: Be Informed; Not Overwhelmed” here.
In our next blog, we will provide detailed recommendations around the strategies for complying with these cyber regulations. For now, consider these best practices:
- Know your regulators and rules
- Document InfoSec policies and practices consistent with the rules
- Know where your data is
- Practice cybersecurity hygiene
- Elevate cybersecurity discussions to the Board of Directors and the C-Suite
- Evaluate government certification and assessment requirements
List of Recent Global Cyber Regulations and Guidelines
|Name||Issue/ Effective Date||Applicable Entities/Sectors|
|Executive Order||Executive Order 14028 on Improving the Nation’s Cybersecurity||May 2021||All|
|Federal Law||Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)||March 2022; rules expected by March 2024||Critical infrastructure (16 sectors)|
|Federal Rules||Security Exchange Commission (SEC) Requirement||July 2023, effective Dec 2023 (June 2024 for smaller reporting companies)||Public reporting companies|
|CMMC Model 2.0 certification||Rule-making in progress||Depart. of Defense contractors and subcontractors|
|Proposed FAR Cyber Threat and Incident Reporting and Information Sharing Rule||Comment period ends on Dec 4, 2023||Parties subject to FAR (Federal Acquisition Regulations) and subcontractors|
|Proposed FAR Rule Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems||Comment period ends on Dec 4, 2023||Parties subject to FAR and subcontractors|
|Proposed Common Form for Self-Attestation By Software Producers||Expected 2024||Parties subject to FAR and subcontractors|
|FedRAMP Authorization Act||January 2023||Government contractors with SaaS products|
|TSA Directives||Mar, May & July 2023||Transportation, pipelines|
|FTC Safeguards Rule of Gramm-Leach-Bliley Act||June 2023||Financial services|
|23 NYCRR Part 500: NY State Cybersecurity Requirements For Financial Services Companies||Expected 2024||Financial services|
|Federal Food, Drug, and Cosmetic Act (FD&C Act) section 524B||March 2023||Medical devices|
|FTC Health Breach Notification Rule||Rule-making in progress (comment period ended Aug 8, 2023)||Vendors of personal health records (“PHRs”) and related entities not covered by HIPAA|
|Guidance||NY Attorney General Guide||April 2023||NY companies|
|Industry Standards||NIST Cybersecurity Framework 2.0||Comment period ends on Nov 4 2023||All|
|PCI DSS v.4.0||August 2022||Payment processing|
|ISO/IEC 27001 standards||October 2022||All|
|CIS’s Critical Security Controls v8||May 2021||All|
|Name||Issue/ Effective Date||Applicable Entities/Sectors|
|EU Directives||EU Network and Information Security Directive (NIS2)||18 October 2024||Essential and Important Entities|
|EU Digital Operational Resilience Act (DORA)||18 October 2024||Financial services|
|Critical Entities Resilience Directive (CER)||18 October 2024||Critical infrastructure (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food)|
|Cyber Resilience Act (CRA)(proposed)||15 September 2022||Financial services|
|UK Guidance||Ofcom Guidance for the digital infrastructure subsector: revised NIS Guidance||May 2023||Digital infrastructure subsectors (TLD Name Registry, DNS Resolver Service, DNS Authoritative Hosting Service, IXP)|
|Canada||Critical Cyber Systems Protection Act (CCSPA)(proposed)||December 2022||Designated Operators of critical cyber systems to vital services & systems|
|Australia||The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act)||April 2022||Critical Infrastructure (communications, financial services / markets, data storage or processing, defense industry, higher education/research, energy, food & grocery, health care & medical, space technology, transport, and water and sewerage.|
|Singapore||Online Criminal Harms Bill (proposed)||August 2023||All|
|India||MeitY directions No. 20(3)/2022-CERT-In||April 2022||All|