The SEC's new cybersecurity rules are just the beginning of a wave of regulation that will affect every business in the US. Starting from Dec. 15, public companies have to report any cyberattacks within four days or face penalties. This means that breaches like the ones that hit Okta and 23andMe will have more serious repercussions than just the loss of data. But the SEC is not the only agency that is tightening its cybersecurity standards.
The federal government has identified 16 critical infrastructure sectors that are vital to the national security and economy. These sectors include not only the obvious ones like defense, finance, commercial facilities, and energy, but also many others that may not seem as critical, such as real estate, retail, sports, and entertainment. Within these sectors, there are subsectors that cover almost every aspect of our economy. All of these sectors and subsectors are subject to cybersecurity compliance requirements from different agencies and regulators.
The government is not playing around with cybersecurity. It is imposing strict and specific standards that every business must meet or risk losing contracts, customers, and reputation. Cybersecurity is no longer optional or nice-to-have. It is a must-have for every business that wants to survive and thrive in the digital age.
Good News for Businesses
The cyber threat landscape is changing rapidly, and so are the regulations that aim to protect the critical infrastructure and data of the U.S. and its allies. The recent executive order from the White House is a clear signal that cybersecurity is a top priority for the federal government and its contractors.
The executive order sets the stage for a new era of cybersecurity compliance, where minimum standards and best practices will be enforced across all sectors and industries that work with the government. This is not only a matter of national security, but also of economic competitiveness and resilience.
The U.S. is not alone in this effort. A coalition of 12 countries has joined forces to coordinate their cybersecurity policies and initiatives, creating a unified front against the cyber adversaries that target their interests. These countries include Australia, Canada, France, Germany, India, Japan, New Zealand, South Korea, the UK and others.
The cybersecurity compliance market is expected to grow significantly in the coming years, as more and more organizations will need to demonstrate their adherence to the required standards and frameworks. This will also have legal implications, as false or misleading claims of cybersecurity compliance will face scrutiny and penalties.
One of the most prominent examples of cybersecurity compliance is the CMMC 2.0 program, which applies to all DoD contractors and subcontractors. The CMMC 2.0 program requires organizations to achieve a certain level of maturity in their cybersecurity practices, depending on the type and sensitivity of the information they handle.
The executive order also mandates the development of baseline standards for all federal contractors, regardless of their sector or agency. This will replace the current situation, where different agencies have different and inconsistent requirements for their contractors.
In addition, some agencies have already issued
specific regulations for their contractors, such as the TSA for airport and aircraft operators, the DHS for CUI protection, the EPA for water sector security, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
The bottom line is that cybersecurity compliance is no longer optional, but essential for any organization that wants to do business with the federal government or its allies. Cybersecurity compliance is not only a legal obligation, but also a strategic advantage in a digital world.
The Government Goes All-In
The government is taking action to protect the economy from cyber threats by setting and enforcing mandatory cybersecurity standards for all sectors, just like it does for car safety features.
These standards are not only for the U.S. but also for other countries that want to do business with the U.S. government, such as Canada and Japan.
If companies or individuals fail to meet these standards, they could face legal consequences, such as lawsuits, fines, or penalties. For example, a former CIO of Pennsylvania State University is being sued for allegedly lying about the security of sensitive information. Another company, Aerojet Rocketdyne, had to pay $9 million to settle a similar case. The government is also going after companies and executives that mislead investors about their cyber risks, such as SolarWinds and its former vice president of security.
Cybersecurity is no longer a nice-to-have feature, but a must-have requirement that affects the profitability and reputation of every business. The government is making it clear that cybersecurity compliance is not optional, but essential because the stakes are higher than ever.
Call to Action
If you are interested in learning more about how Fractional Information Security Officers (FISOs, aka vCISOs) can help you enhance your cybersecurity posture, you can contact Webcheck Security today. Webcheck Security is a trusted provider of FISO services, with experienced and certified consultants who can tailor their solutions to your specific needs and goals. Whether you need an FISO for a short-term project, a long-term partnership, or anything in between, Webcheck Security can help you achieve your cybersecurity objectives and protect your valuable data. To get started, visit their website at www.webchecksecurity.com, fill out the contact form, or call them at 1-833-PEN-TEST (1-833-736-8378). Don't miss this opportunity to work with some of the best FISOs in the industry and take your cybersecurity to the next level.