Here are four regions where new and evolving cybersecurity legislation and regulations could impact your business operations, especially if you’re running a global organization.
Cyber crime will cost the world over $10 trillion annually by 2025, a growth rate of 15% per year. With massive amounts of proprietary employee and customer personal information at risk, organizations that experience a cyber attack (e.g., data breaches, ransomware) must be prepared to mitigate reputational damages, disruptions to business operations and critical infrastructure and system vulnerabilities.
It’s no surprise then that two-thirds of executives surveyed by PwC consider cyber crime to be their most significant threat in 2023. Consequently, security and risk leaders are feeling the pressure to strengthen their security posture and ensure they can comply with cybersecurity regulations.
The latter has become more challenging given that many global standard setters and countries have proposed or recently enacted legislation as a way to combat the sharp rise in cyber attacks. Yet, few businesses can keep pace with these rapidly changing cyber-related regulations, which differ from country to country and sometimes by industry. In fact, only 9% of organizations feel confident about meeting their disclosure requirements, according to PwC.
Here, we share four key cybersecurity regulations that organizations must pay attention to.
U.S. cyber regulations
Cyber attacks are becoming more frequent and severe in the U.S. Nearly 87% of U.S. organizations experienced a data breach in the past 12 months, according to the latest Cyberthreat Defense Report. In 2022, the average cost of a data breach in the U.S. was $9.44 million—roughly twice the global average.
In response, the Biden administration signed the Strengthening American Cybersecurity Act in March 2022, a bill that is broken into three parts. One of these parts—the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)—mandates a strict reporting period for 16 sectors deemed the most essential to the nation:
- Chemicals
- Commercial facilities
- Communications
- Critical manufacturing
- Dams
- Defense industrial bases
- Emergency services
- Energy
- Financial Services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, waste and materials
- Transportation
- Water and wastewater
Organizations that operate in any of these sectors, will soon be legally obliged to inform the U.S. Cybersecurity & Infrastructure Security Agency (CISA) about a cyber incident within 72 hours; 24 hours for a ransomware attack. As of January 2023, reporting requirements have not yet been finalized, but it’s expected that CIRCIA will ask organizations to divulge what was exploited, the categories of information that were obtained, estimated data ranges for ransomware attacks and other key details.
There is also a new cybersecurity regulation on the horizon, which is being considered by the U.S. Securities and Exchange Commission (SEC). The proposed rule would require publicly held companies operating in the U.S. to disclose their cyber risk management strategies, governance and “material” cyber incidents. While the public comment period ended in May 2022, there has yet to be any word on when the changes would take effect.
European cyber laws
Europe is facing its own cybersecurity crisis, as more than 10 terabytes of data are stolen every month from ransomware gangs throughout the region. As Europe’s leading threat vector, an estimated 60% of affected organizations may have paid ransom demands.
In September 2022, the European Commission proposed new legislation to combat the problem: the European Cyber Resilience Act (CRA). The goal of CRA is to establish common cybersecurity standards for connected devices and services and is in response to the sharp rise in cyber attacks on software and hardware products.
If approved, organizations that distribute or manufacture products in the European Union (EU) will need to determine if their products would be subject to the new legislation. If yes, they will be required to follow specific cybersecurity requirements on designing, developing, producing and placing secure products with digital elements—such as web browsers, industrial automation and control systems, microprocessors, and operating systems.
The act builds on previously established cybersecurity guidelines, such as the NIS Directive, which establishes a set of security principles that EU member states must adopt. They apply to specific types of organizations, such as: healthcare, transport, water, and cloud computing services with critical infrastructure assets.
The EU periodically reviews the legislation, as it did in late 2020. The European Commission agreed to an updated NIS Directive in May 2022, which aimed to strengthen its cybersecurity and reporting requirements. As of January 2023, the agreement is subject to formal approval, at which point EU member states will have 21 months to transpose it into national law.
Chinese cyber legislation
As one of the world’s largest nations, China ranks third in the world for cyber breaches since 2004, according to a recent study by Surfshark. Just recently, hackers infiltrated a Shanghai police database, stealing data on over a billion Chinese residents—the largest data leak in the nation’s history.
Taking cues from the EU’s General Data Protection Regulation (GDPR), a strict set of protections for personal data permissions, the Chinese government passed official laws to guide cyber activity in 2017. Three frameworks—the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL)—sit at their center.
In September 2021, these regulations were updated to require that any cybersecurity incident compromising more than 100,000 users must lead to an investigation and evaluation report within five days, submitted to the local government. Additionally, they outline what “important data” means: anything that “may endanger national security and public interest in the event it is tampered with, destroyed, leaked, illegally obtained or illegally used.”
International firms (non-Chinese organizations), however, are often still unclear about where their security practices fit into this. China wants to send third-party inspectors into company networks, tracing the true scale of any damage or data incident, but the extent of the analysis (and how far they might want to go into your network) is very vague. Asia Online reports that Yahoo shut down its services in China on the day the law came into effect, while LinkedIn withdrew from the country a month later.
It’s highly recommended that IT leaders with operations in China: 1) have a plan in place for unannounced inspections and 2) establish a group of people ready to greet local enforcers, walk them through the data architecture, draw up cyber incident reports and provide any other needed documentation.
Indian cyber regulation
Cyber crime is on the rise in India, especially against the federal government. According to research from CloudSEK, India was the most frequently targeted country in this sector, as attacks on government agencies more than doubled in 2022.
As of June 2022, India mandates a six-hour reporting window in the event of a data breach, ransomware attack, identity theft or any large-scale malicious activity within a corporate network. This is one of the strictest reporting requirements for cyber crime around the world. Reports must be submitted to the Indian Computer Emergency Response Team (CERT-In) and communication logs must be kept for six months.
The directive’s other cybersecurity requirements include:
- Maintaining customer and subscriber information for five years.
- Maintaining your customer (KYC) details and records of financial transactions for five years for all crypto exchanges and wallets.
- Designating a point of contact to interface with CERT-In for any and all compliance-related communications.
A continued focus on cybersecurity legislation
It’s become abundantly clear that cyber crime is a top priority for governments worldwide. As threats and attacks continue to increase, countries are likely to enact more legislation to combat their costs and impact on national security, the public at large and critical industries and infrastructure. For example, through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, according to Gartner.
This new legislation-heavy future means it will be incumbent upon security and risk leaders—whether their focus be on the physical or digital domain—to stay abreast of cybersecurity measures and what each means for their organization. Dataminr’s real-time alerting solution Dataminr Pulse helps to ensure they can do so effectively by alerting on cybersecurity measures as soon as they begin to surface and as they evolve.
Learn more about how Dataminr Pulse helps organizations like yours stay informed of and navigate today’s cybersecurity landscape.
