Risk Management
To Keep Up With Cybersecurity Laws, Go 'Federal First'
With new cybersecurity laws and regulations rolling out, the best way to maintain broad compliance is to align with the most stringent frameworks. In the U.S., that means taking a ‘federal first’ approach—conforming to the highest security requirements of the United States federal government.
Intensifying cyberattacks and heightened awareness of the risks they pose is driving the creation of new cybersecurity laws around the world, including in the U.S. at both the federal and state levels.
Some of these new measures are sector-specific, others apply more broadly, and all of them add to existing privacy and data protection regimes such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare, the Gramm-Leach-Bliley Act (GLBA) for financial services, and the European Union’s General Data Protection Regulation (GDPR), which covers any business with employees or customers in the EU.
To minimise complexity and maintain compliance, many organisations are taking a “highest bar” approach—conforming to the toughest relevant standards knowing that any lesser requirements will then also be covered, and that their cyber defences will be as strong as possible.
In the U.S., that means taking a federal-first approach: conforming to the highest security requirements of the United States federal government. The logic of this is that the federal government is a prime target for today’s most advanced cyberattacks, so the measures it insists on for protection are, by necessity, the strongest possible.
Enterprises that adopt those same defences should be both maximally secure and also better qualified to do business with the federal government because they are aligned.
The landscape of cybersecurity laws is getting more complex
A few major pieces of cybersecurity legislation have made headlines in recent years, including the 2021 Executive Order on Cybersecurity, the Strengthening American Cybersecurity Act, and its companion Cyber Incident Reporting for Critical Infrastructure Act. Specialised initiatives like the Federal Risk and Authorization Management Programme (FedRAMP) have emerged to address specific needs such as government use of cloud services.
Various states have also begun to establish cybersecurity laws to protect companies in their jurisdictions, and regulators are intensifying their cybersecurity focus as well. The Securities Exchange Commission (SEC), for example, is considering a proposal for cyber risk management that would apply to all publicly traded corporations.
To help organisations adopt more advanced cyber protections, bodies such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the Scientific Working Group on Digital Evidence (SWGDE) have all published guidance on implementation and investigation.
The federal laws in particular establish some key principles for strengthening cybersecurity that any organisation would benefit from adopting.
What the new federal cybersecurity laws call for
The 2021 Executive Order on Cybersecurity acknowledges that citizens and businesses require—and in fact deserve to have—confidence in the security of the organisations and institutions they deal with. It stresses the need for comprehensive protection of cloud-based, on-premises, and hybrid IT and OT systems, with mandates for implementing zero trust architectures, multi-factor authentication schemes, and endpoint detection and response (EDR) solutions.
The Executive Order also emphasises the importance of greater partnership and information sharing between government and the private sector. This reflects the growing recognition that organisations can’t afford to be insulated: they need to exchange data on threats, trends, and other cybersecurity factors if they are to mount a strong collective defence.
The Strengthening American Cybersecurity Act seeks specifically to increase the cybersecurity of U.S. critical infrastructure and the federal government. The Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure operators and federal agencies to report cyberattacks to CISA within 72 hours, and to report ransomware payments within 24 hours.
These two pieces of cybersecurity legislation also underscore the joint responsibility of the public and private sectors to act against cyber threats. According to Dark Reading:
The onus is on both public and private organisations to uphold [the principles of the Strengthening American Cybersecurity Act] as these incidents take place—regardless of the size or scale of the attack. Overall, the public sector should continue prioritising security-related legislation, and the private sector must follow the guidelines provided to them. A concentrated effort from both parties is the best way to protect the nation's most sensitive assets.
Compliance demands accountability
The 2021 Executive Order and the two critical infrastructure cybersecurity laws (with more on the way) seek to promote strong cybersecurity practises and to reinforce organisations’ accountability for ensuring the effectiveness of the measures they put in place.
This is also the motivation behind the SEC’s proposed new cyber risk management requirements, which consider making it mandatory for companies to report material cyber events within four days of their occurrence or face severe penalties. The premise, which many cybersecurity professionals agree with, is that greater transparency about cyber incidents will lead to greater resiliency.
The SEC proposal, if adopted, has the potential to create new security awareness and responsibility at the corporate board level and to prompt more direct interaction between Chief Security Officers (CSOs), Chief Information Security Officers (CISOs) and company directors. With a greater and more direct understanding of cyber risks and consequences, directors could prove more willing to allocate budgets and resources to security teams to protect their organisations.
Given how quickly the threat landscape continues to evolve, connecting security leaders directly to the boardroom would also speed up the ability of companies to respond to shifts and new needs. Even if the SEC proposal isn’t taken up, organisations should consider ways of engaging their boards directly in the security conversation.
Cybersecurity doesn’t stand still
The threat landscape is evolving not only due to new forms of cyberattacks but also because organisations are adopting novel technologies or using existing technologies in new ways—both of which are expanding their attack surface.
Cloud services are a key example. Enterprises have been benefiting from the economies and agility of the cloud for years now, and government agencies are eager to do the same. FedRAMP is designed to help them do so—without compromising on security or data protection. It provides a risk-based approach for adopting and using cloud solutions. Companies that want to sell cloud services to government agencies will need to be FedRAMP-compliant first.
The increased use of emerging technologies such as augmented reality (AR), virtual reality (VR), and AI-powered language and image processing platforms may require additional new cybersecurity laws, regulations, or frameworks to address their specific use cases going forward.
The ‘federal first’ approach brings many benefits
Complying with the most stringent cybersecurity standards should assure an organisation, its employees, partners, customers, and other stakeholders that the most rigorous measures available are being used to protect the business.
It also makes life easier for individuals tasked with ensuring compliance in a fast-changing and increasingly complex environment. Meeting the “highest-bar” requirements often automatically ensures that other less stringent legal or regulatory obligations are fulfilled. At the same time, the most stringent cybersecurity frameworks tend to be built on common best practises. For U.S. companies, being federally aligned should mean they are well positioned to be compliant across different cybersecurity regimes and jurisdictions.
Many companies also find that complying with stronger frameworks provides business benefits as well. This was Trend Micro’s experience when putting in the policies and practises to conform to the GDPR. While implementation was challenging, the exercise brought fresh perspective on how the company’s data was structured and handled—and revealed better ways of doing so.
Beyond policies, complying with cybersecurity legislation and regulations compliance requires the right technologies, especially when rooted in zero trust. Shifting away from point solutions toward the adoption of a unified cybersecurity platform with third-party integrations allows security professionals to identify and mitigate cyber risks in real time—or near real time—across all the attack surfaces they have to protect.
With a federal-first approach and the right tools at their disposal, organisations can strengthen their cybersecurity posture and make themselves valued partners to government agencies at every level, across the country.
Next steps
For more Trend Micro thought leadership on cybersecurity legislation, check out these resources:
- Biden Cybersecurity Executive Order: Ex-USSS Reflects
- CISA Gov: ’23-25 Plan Focuses on Unified Cybersecurity