At a glance.
- Suggestions for the Bureau of Cyberspace and Digital Policy.
- Changes to Arizona’s breach notification rules.
- Differing reactions to the SEC’s new cyber reporting rules.
Suggestions for the Bureau of Cyberspace and Digital Policy.
Last week the US State Department announced the launch of the Bureau of Cyberspace and Digital Policy (CDP), established to “address the national security challenges, economic opportunities, and implications for US values associated with cyberspace, digital technologies, and digital policy.” In the aftermath of recent attacks on US critical infrastructure like the Solar Winds incident, one of the bureau’s major focal points will be safeguarding the country against ransomware attacks. However, Fast Company posits the CDP should also set its sights on combating online consumer fraud in order to better protect the everyday American from cybercriminals seeking to hijack their banking accounts or steal from their retirement plans. As well, if the CDP wants to shield the country from foreign adversaries, the bureau will have to find ways to establish investigation and enforcement treaties with countries where these cybercriminals reside. Under the Mutual Legal Assistance Treaty, the US, UK, and Canada have agreed to honor each other’s data preservation letters, search warrants, and evidence, and seeking similar agreements with other nations could put the US in a more powerful position when it comes to fighting cybercrime that originates outside of the country’s borders.
Changes to Arizona’s breach notification rules.
Eye on Privacy reports that the US state of Arizona has made amendments to its breach notice law impacting regulator notification requirements. As of July 22, organizations that experience a data breach impacting more than one thousand Arizona residents will not only have to notify the three largest consumer reporting agencies and the Arizona attorney general, but will also need to report the breach to the Arizona Department of Homeland Security. Once the breach is detected, the company will have forty-five days to inform the aforementioned entities. The amendment makes Arizona one of just a handful of states, including New York, that require impacted companies to notify multiple state regulatory agencies.
Differing reactions to the SEC’s new cyber reporting rules.
The US Securities and Exchange Commission’s (SEC) recently proposed cybersecurity disclosure rules for financial institutions are currently open for comment. Under these new rules, tot only would the SEC require companies to report cyberincidents and develop concrete attack-response strategies, but they also propose that company directors disclose specifics regarding the cybersecurity expertise of their board members, and how the board integrates cybersecurity into their overall leadership of the company. Some feel the SEC is going too far. Asset manager lobbying group the Securities Industry and Financial Markets Association (Sifma) has sent a letter to the SEC stating that while companies should have protocols for notifying the board about cyberincidents, directors shouldn’t have to manage such issues directly. “We believe the requirement that boards approve policies and procedures and exercise formal oversight is too prescriptive and crosses into the realm of management,” Simfa’s letter states.
Others, however, see the SEC’s proposals as a much-needed step toward transparency. Cyrus Vance Jr., partner and global chair of law firm Baker McKenzie LLP’s cybersecurity practice, told the Wall Street Journal, “I think it’s a reset, and I think the advantage of this reset is they’re being very clear. They’re telling you what they expect.” The new rules could motivate a more cohesive relationship between cybersecurity executives and board members who perhaps lack in-depth understanding of cyber issues, while also encouraging CISOs to become more adept at assessing business-risk. Steven Babb, CISO at Mitsubishi UFJ Financial Group’s investor services business, stated, “Anything that really raises the profile and the risks relating to security up at a board level can only, I believe, promote and enhance security practices.”