At a glance.
- Remediation planning under a Binding Operational Directive.
- FERC may introduce regulations for cybersecurity of bulk electrical power systems.
- SEC may expand Regulation Systems Compliance and Integrity.
Developing an agency remediation plan under President Biden’s Binding Operational Directive.
A binding operational directive issued in November by the White House provided federal agencies with two new tools to help them protect their data systems from intrusion: a catalog of critical vulnerabilities known by the Cybersecurity and Infrastructure Security Agency (CISA) to be exploitable, and a set of requirements to which all federal agencies must adhere in order to protect against those vulnerabilities. That said, it’s up to each agency (and its third-party service providers) to develop a remediation plan that will incorporate these requirements. Dark Reading recommends that a solid plan must identify third-party risk to ensure that connected systems aren’t exposing sensitive data to attack. Systems must also be regularly monitored in real-time so that, in the event of an intrusion, response can be immediate. Employee training to help staff identify and avoid potential threats is also key, and regularly updating systems will ensure that available patches are being employed.
FERC considers new regulation to defend bulk electrical power systems.
With the recent onslaught of cyberattacks impacting critical infrastructure (see: the Solar Winds incident), SC Magazine reports that a new regulation is being considered by the US Federal Energy Regulatory Commission (FERC) that would require the operators of bulk electric systems (BES) to implement internal network security monitoring. The North American Electric Reliability Corporation will be tasked with developing updated reliability standards for high- or medium-impact systems, which up until now have focused mainly on securing the network perimeter. In a notice about the proposed rule last week, the FERC stated, "Based on the current threat environment…requirement for [internal network monitoring] that augments existing perimeter defenses is critical to increasing network visibility so that an entity may understand what is occurring in its CIP networked environment, and thus improve capability to timely detect potential compromises.” Monitoring tools could help BES operators determine baseline network behavior in order to better detect network intrusions and malicious activity. The FERC is also requesting input from the public as to whether the directive should also cover cybersecurity standards for low-impact BES systems.
SEC chief suggests an expansion of Rec SCI.
During a speech at the Northwestern Pritzker School Of Law’s 2022 Securities Regulation Institute, US Securities and Exchange Commission (SEC) head Gary Gensler discussed expanding the commission’s Regulation Systems Compliance and Integrity, or Reg SCI. Bloomberg explains that RegSCI was established in 2014 to give the SEC more oversight of the technology supporting US trading systems, and Gensler indicated it could be time for some modifications. “The core goal of Reg SCI was to reduce the occurrence of systems issues and improve resiliency when they do occur,” Gensler stated. “A lot has changed, though, in the eight years since the SEC adopted Reg SCI.” He suggested adjustments to breach notification requirements, disclosure of cybersecurity practices, and third-party service provider regulations. ThinkAdvisor adds that Gensler urged investment companies and advisors not covered by Reg SCI to work on their cyber hygiene in order to ensure they’re in compliance “with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations.” On the topic of data privacy, Gensler said he’s requested input from SEC staff on potential updates to Regulation S-P, which outlines how investment companies and brokers protect customer data.