The recent clamor of legislative activity on Capitol Hill contains several common themes as the government branch makes moves to secure the U.S. cyber environment and solidify cybersecurity law.
The most noticeable is a recognition that voluntary action in the cyber and data privacy space is just not working, and that the federal landscape of agencies is just not coordinated well enough to support cybersecurity. This blog will analyze the running themes throughout the effort to craft and enact new cybersecurity law in 2023, and is the second part in a series. You can read part one here.
There are multiple overlapping documents and disjointed systems for detection and reporting, but more important is the recognition that our economy is driven by a complex, interconnected system that exhibits systemic risk. To address that systemic risk, cybersecurity law and data privacy legislation requires covered entities to improve their risk management and governance approaches to increase the visibility of cyber risk at the board and leadership levels.
In tandem with risk management, many of these measures are also defining a minimum baseline of preparatory and protective measures to ensure entities are left with no doubt about what is an acceptable level of preparation and defense, and what is not.
While Executive Order 14028 and the recently released cybersecurity strategy only apply directly to federal agencies, two key measures—the deployment of a zero trust architecture and improvements to the software supply chain (software bill of materials)—will trigger similar actions in the commercial space as this trickles down through contract agreements and establishes new, leading best practices.
Most of us have business priorities that are focused on running or growing the business and must prioritize and re-prioritize our work on a daily, even hourly basis. This makes it easy to place this tide of new cybersecurity law on the back burner.
Here’s a set of reasons why we believe you should take notice and adjust your strategy, priorities, and spending now to become compliant with the ever-changing cybersecurity and data privacy legislation.
The first and most obvious is that if you are a covered entity and required to comply with any of these legislations, it may take some time to implement systems to become compliant.
Second, as these measures become required in publicly traded financial institutions and for all federal contracts, the expectation level or bar will begin to rise across all industries. Your business partners, and those you sell services to, will adopt similar requirements in their contracts and business dealings. You may even lose business to competitors who appear more secure to the purchasing executives.
Third, and finally, even if you are not directly impacted, cybersecurity law that becomes effective in 2023 will improve the understanding and deployment of leading practices and standards for all covered entities. This hardening process will inevitably make you, as covered entities, more secure and reduce your own commercial risk.
The question then becomes, if your enterprise is less secure, will you become easy prey for threat actors? This is the proverbial “I only have to run faster than my colleague to escape the bear” analogy, as threat actors have shown time and time again that they are adept at targeting the least prepared as “easy pickings.”
Even if you are not directly impacted, you should take note, and re-assess your risk position—as the number of threat actors targeting you could well increase. You should put a cybersecurity improvement program in place now rather than wait for your first incident.
During the coming months, we will be analyzing key legislative changes and provide a more detailed view of what they contain, and what actions you may need to take or would be well advised to take as a result.
Alternatively, we would be happy to discuss these strategies with you in person, informally, or as part of a tailored security assessment and roadmap generation. Contact us today.
This blog post offers a personal opinion and is not intended as legal advice.