At a glance.
- The SEC's emerging cybersecurity policy.
- FISMA metrics expected to be updated.
- The potential shape of a US Federal privacy law.
Predicting cybersecurity policy changes from the SEC in 2022.
Last week at Northwestern University Pritzker School of Law's Annual Securities Regulation Institute, US Securities and Exchange Commission (SEC) Chair Gary Gensler spoke about the SEC’s efforts to boost the “cybersecurity posture and resiliency of the financial sector.” Though the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are considered the main arbiters of cybersecurity regulations, the SEC also plays an important part, and JDSupra discusses potential moves the SEC could make going into 2022.
Gensler indicated the SEC might move to apply Regulation Systems Compliance and Integrity (Reg SCI) to the largest market-makers and broker-dealers. Outside of Reg SCI, investment companies, investment advisers, and broker-dealers, can expect recommendations from the SEC on boosting cybersecurity, cyber hygiene, and incident reporting. Public companies should be prepared for potential changes in disclosure requirements regarding cybersecurity practices and cyber risk, including disclosing incidents to investors. Gensler also indicated future measures to better identify and assess potential cybersecurity risks from service providers and to hold businesses accountable for providers’ cybersecurity practices.
Updates to FISMA metrics in the coming year.
The White House’s Office of Management and Budget (OMB) has signaled plans for major changes to the Federal Information Security Modernization Act (FISMA). Under FISMA, the Federal News Network explains, agencies must submit annual metrics to OMB for assessment, and the FISMA 2022 bill introduced last week by leaders on the House Oversight and Reform Committee calls for changes to the cybersecurity roles and responsibilities in the executive branch, as well as the replacement of “point-in-time assessments'' with new, more dynamic standards. The new metrics focus on protocols prioritized in President Joe Biden’s May 2021 cybersecurity executive order, like multifactor authentication (MFA) and encryption.
Venable’s former federal chief information security officer and senior director of cybersecurity services Grant Schneider applauded the emphasis on MFA, stating, “If I were to consult with an organization, and they could only do one thing, that would be the thing.” Other FY 22 metrics emphasize obtaining measurable security outcomes through vulnerability disclosure programs, blue teaming, and penetration testing. And for the first time, the metrics include questions about each agency’s information security workforce. While the changes are viewed as positive, experts note that as agencies adapt, the first year’s results will likely leave much to be desired. “That doesn’t mean that our security is collapsing around itself,” Ross Nodurft, former chief of OMB’s cyber team and executive director of the Alliance for Digital Innovation, states. “We have to be smart about how we’re understanding and interpreting these metrics.”
A call for a federal privacy law in the US.
On Friday, Decipher reports, the MITRE corporation hosted a gathering of privacy experts to discuss US privacy regulations, and many asserted that, while much consumer privacy regulation is being addressed at the state and court level, a federal privacy law is necessary. MITRE associate general counsel and chief privacy official Dena Kozanas stated, “People are becoming more privacy literate, and they have more expectations about privacy, but there is no single uniform national privacy law. This Congress has made advances in passing a comprehensive privacy law, but more needs to happen, and it needs to happen sooner rather than later.”
The lack of a federal regulation has led states to take the matter into their own hands, starting with 2018’s California Consumer Privacy Act. But the piecemeal nature of these regulations leaves many states uncovered, and leads to confusion for businesses who operate across state lines (as well as the consumers who patronize them). Of course, questions arise regarding who would be charged with enforcing a federal law and how penalties would be assigned. And if the “compliance nightmare” (in the words of Alberto di Felice, DIGITALEUROPE’s Director for infrastructure, privacy and security policy) the EU experienced during the implementation of its General Data Privacy Regulation is any indication, implementation of a US regulation will be a complicated endeavor. Jordan Crenshaw, vice president at the U.S. Chamber of Commerce's Technology Engagement Center, feels that collaboration from the privacy sector is key. “You need to give companies lead time to get themselves together, so that it’s a collaborative versus combative compliance.”