In 2023, the US Securities and Exchange Commission (SEC) adopted rules mandating registrants to disclose any material cybersecurity incidents within four days of determining their importance. Additionally, companies were required to reveal material information regarding their cybersecurity risk management, strategy, and governance on an annual basis. The regulations were implemented despite the fact that the Securities and Securities Exchange Acts, upon which the SEC based its rules, did not directly mention cybersecurity.
On the FCC front, in 2023, the US Federal Communications Commission (FCC) modified and reinforced its data breach notification rules for communications providers to safeguard against unauthorized use or disclosure of customer data. By issuing updated regulations, the FCC significantly amplified its enforcement authority under the Communications Act, which specifically addressed protections for customer proprietary network information (CPNI) and not the broader spectrum of customer data covered in the Commission’s rules.
Moving on to the US Cybersecurity and Infrastructure Security Agency (CISA), in April 2024, it put forth a proposal to adopt the cyber incident reporting requirements established under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The finalization of this rule is not expected until 2025. Throughout the development of this rulemaking, CISA had to interpret CIRCIA in a broader context to effectively implement the reporting requirements.
These regulatory developments mark significant progress in enhancing cybersecurity measures and ensuring the prompt reporting of cyber incidents. By enforcing stricter reporting guidelines and expanding regulatory authority, these agencies aim to improve data protection and bolster cybersecurity resilience in the face of evolving digital threats.
Overall, these regulatory changes signify a shift towards a more proactive approach to cybersecurity governance and risk management. Companies and organizations are now held to higher standards of transparency and accountability when it comes to managing and reporting cybersecurity incidents, reflecting the growing importance of cybersecurity in today’s interconnected digital landscape.